joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Integrate OWASP CRS v4 and Anti-Brute Force Security Rules

This commit is contained in:
João Pedro Toledo Goncalves 2026-02-07 13:48:47 -03:00
parent 93d0324426
commit 42a9ea5582
57 changed files with 21817 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nginx/modsec/app_specific_modsec_tuning.conf
View File

@ -3,6 +3,11 @@
# ==========================================================================
# Este arquivo centraliza as exceções e ajustes para garantir o funcionamento
# de aplicações críticas sem comprometer a segurança global.
### 5. Configuração de DLP (Data Loss Prevention)
- **Fase**: Phase 4 (Headers) e Phase 5 (Body).
- **Escopo**: **Crítico!** As regras de DLP serão aplicadas apenas em domínios/URLs que NÃO deveriam exibir dados sensíveis.
- **Exclusão**: Sistemas que precisam exibir dados (ex: ERP, CRM) serão excluídos via `ctl:ruleRemoveByTag='DLP'`.
- **Ação**: `deny` (bloqueio total) ou `replace` (mascaramento ex: `***.***.***-XX`).
# IDs de regras customizadas: 10000 - 10999
# ==========================================================================
@ -56,8 +61,18 @@ SecRule REQUEST_URI "@rx ^/(veeam|VeeamBackup)/" \
"id:10006,phase:1,nolog,pass,ctl:ruleEngine=Off,msg:'TUNING: Veeam Console Bypass'"
# --------------------------------------------------------------------------
# 8. WORDPRESS (Tuning Adicional)
# --------------------------------------------------------------------------
# O plugin oficial cuida do básico, aqui adicionamos regras se necessário.
# Exemplo: Permitir XML-RPC se necessário (com cautela)
# SecRule REQUEST_URI "@streq /xmlrpc.php" "id:10007,phase:1,nolog,pass,ctl:ruleEngine=Off"
# 9. ANTI-BRUTE FORCE (Global)
# --------------------------------------------------------------------------
# Inicializa coleção por IP
SecAction "id:10100,phase:1,nolog,pass,initcol:ip=%{remote_addr}"
# Monitora tentativas de login (POST em páginas comuns)
SecRule REQUEST_METHOD "@streq POST" \
"id:10101,phase:1,nolog,pass,chain"
SecRule REQUEST_URI "@rx (login|wp-login|signin|authenticate)" \
"setvar:ip.login_counter=+1,expirevar:ip.login_counter=120"
# Bloqueia se passar de 5 tentativas em 2 minutos
SecRule ip.login_counter "@gt 5" \
"id:10102,phase:1,deny,status:429,msg:'BRUTE FORCE: IP temporariamente bloqueado',tag:'SECURITY',tag:'BRUTE_FORCE'"

32
nginx/modsec/modsecurity.conf-recommended Normal file
View File

@ -0,0 +1,32 @@
# ModSecurity Recommended Configuration
# --- Basic Config ---
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecResponseBodyAccess Off
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
# --- Filesystem / Audit Log ---
SecTmpDir /tmp/
SecDataDir /tmp/
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHKZ
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
# --- Argument Parsing ---
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile /etc/nginx/modsec/unicode.mapping 20127
# --- Status & Response ---
SecStatusEngine On

910
nginx/modsec/owasp-crs/crs-setup.conf Normal file
View File

@ -0,0 +1,910 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -- [[ Introduction ]] --------------------------------------------------------
#
# The OWASP CRS is a set of generic attack
# detection rules that provide a base level of protection for any web
# application. They are written for the open source, cross-platform
# ModSecurity Web Application Firewall.
#
# See also:
# https://coreruleset.org/
# https://github.com/coreruleset/coreruleset
# https://owasp.org/www-project-modsecurity-core-rule-set/
#
#
# -- [[ System Requirements ]] -------------------------------------------------
#
# CRS requires ModSecurity version 2.8.0 or above.
# We recommend to always use the newest ModSecurity version.
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings (modsecurity.conf) such as SecRuleEngine,
# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing.
#
# The CRS assumes that modsecurity.conf has been loaded. It is bundled with
# ModSecurity. If you don't have it, you can get it from:
# 2.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v2/master/modsecurity.conf-recommended
# 3.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended
#
# The order of file inclusion in your webserver configuration should always be:
# 1. modsecurity.conf
# 2. crs-setup.conf (this file)
# 3. rules/*.conf (the CRS rule files)
#
# Please refer to the INSTALL file for detailed installation instructions.
#
#
# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] ---------------
#
# The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
#
# -- [[ Alert Logging Control ]] --
# In the mode configuration, you must also adjust the desired logging options.
# There are three common options for dealing with logging. By default CRS enables
# logging to the webserver error log (or Event viewer) plus detailed logging to
# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf).
#
# - To log to both error log and ModSecurity audit log file, use: "log,auditlog"
# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog"
# - To log *only* to the error log file, use: "log,noauditlog"
#
# Examples for the various modes follow.
# You must leave one of the following options enabled.
# Note that you must specify the same line for phase:1 and phase:2.
#
# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
# Example: Anomaly Scoring mode, log only to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,nolog,auditlog,pass"
# SecDefaultAction "phase:2,nolog,auditlog,pass"
# Example: Self-contained mode, return error 403 on blocking
# - In this configuration the default disruptive action becomes 'deny'. After a
# rule triggers, it will stop processing the request and return an error 403.
# - You can also use a different error status, such as 404, 406, et cetera.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
# SecDefaultAction "phase:2,log,auditlog,deny,status:403"
# Example: Self-contained mode, redirect back to homepage on blocking
# - In this configuration the 'tag' action includes the Host header data in the
# log. This helps to identify which virtual host triggered the rule (if any).
# - Note that this might cause redirect loops in some situations; for example
# if a Cookie or User-Agent header is blocked, it will also be blocked when
# the client subsequently tries to access the homepage. You can also redirect
# to another custom URL.
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
#
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
# are enabled. PL1 is advised for beginners, installations
# covering many different sites and applications, and for setups
# with standard security requirements.
# At PL1 you should face FPs rarely. If you encounter FPs, please
# open an issue on the CRS GitHub site and don't forget to attach your
# complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
# many regexp-based SQL and XSS injection protections, and adding
# extra keywords checked for code injections. PL2 is advised
# for moderate to experienced users desiring more complete coverage
# and for installations with elevated security requirements.
# PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
# limits on special characters used. PL3 is aimed at users experienced
# at the handling of FPs and at installations with a high security
# requirement.
# - Paranoia level 4 further restricts special characters.
# The highest level is advised for experienced users protecting
# installations with very high security requirements. Running PL4 will
# likely produce a very high number of FPs which have to be
# treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.
#
# Uncomment this rule to change the default:
#
SecAction \
"id:900000,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:tx.blocking_paranoia_level=1"
# It is possible to execute rules from a higher paranoia level but not include
# them in the anomaly scoring. This allows you to take a well-tuned system on
# paranoia level 1 and add rules from paranoia level 2 without having to fear
# the new rules would lead to false positives that raise your score above the
# threshold.
# This optional feature is enabled by uncommenting the following rule and
# setting the tx.detection_paranoia_level.
# Technically, rules up to the level defined in tx.detection_paranoia_level
# will be executed, but only the rules up to tx.blocking_paranoia_level affect the
# anomaly scores.
# By default, tx.detection_paranoia_level is set to tx.blocking_paranoia_level.
# tx.detection_paranoia_level must not be lower than tx.blocking_paranoia_level.
#
# Please notice that setting tx.detection_paranoia_level to a higher paranoia
# level results in a performance impact that is equally high as setting
# tx.blocking_paranoia_level to said level.
#
#SecAction \
# "id:900001,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.detection_paranoia_level=1"
#
# -- [[ Enforce Body Processor URLENCODED ]] -----------------------------------
#
# ModSecurity selects the body processor based on the Content-Type request
# header. But clients are not always setting the Content-Type header for their
# request body payloads. This will leave ModSecurity with limited vision into
# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the
# URLENCODED body processor in these situations. This is off by default, as it
# implies a change of the behaviour of ModSecurity beyond CRS (the body
# processor applies to all rules, not only CRS) and because it may lead to
# false positives already on paranoia level 1. However, enabling this variable
# closes a possible bypass of CRS so it should be considered.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900010,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
#
# -- [[ Anomaly Scoring Mode Severity Levels ]] --------------------------------
#
# Each rule in the CRS has an associated severity level.
# These are the default scoring points for each severity level.
# These settings will be used to increment the anomaly score if a rule matches.
# You may adjust these points to your liking, but this is usually not needed.
#
# - CRITICAL severity: Anomaly Score of 5.
# Mostly generated by the application attack rules (93x and 94x files).
# - ERROR severity: Anomaly Score of 4.
# Generated mostly from outbound leakage rules (95x files).
# - WARNING severity: Anomaly Score of 3.
# Generated mostly by malicious client rules (91x files).
# - NOTICE severity: Anomaly Score of 2.
# Generated mostly by the protocol rules (92x files).
#
# In anomaly mode, these scores are cumulative.
# So it's possible for a request to hit multiple rules.
#
# (Note: In this file, we use 'phase:1' to set CRS configuration variables.
# In general, 'phase:request' is used. However, we want to make absolutely sure
# that all configuration variables are set before the CRS rules are processed.)
#
#SecAction \
# "id:900100,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
# setvar:tx.notice_anomaly_score=2"
#
# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ----------------------
#
# Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked.
#
# Most detected inbound threats will give a critical score of 5.
# Smaller violations, like violations of protocol/standards, carry lower scores.
#
# [ At default value ]
# If you keep the blocking thresholds at the defaults, the CRS will work
# similarly to previous CRS versions: a single critical rule match will cause
# the request to be blocked and logged.
#
# [ Using higher values ]
# If you want to make the CRS less sensitive, you can increase the blocking
# thresholds, for instance to 7 (which would require multiple rule matches
# before blocking) or 10 (which would require at least two critical alerts - or
# a combination of many lesser alerts), or even higher. However, increasing the
# thresholds might cause some attacks to bypass the CRS rules or your policies.
#
# [ New deployment strategy: Starting high and decreasing ]
# It is a common practice to start a fresh CRS installation with elevated
# anomaly scoring thresholds (>100) and then lower the limits as your
# confidence in the setup grows. You may also look into the Sampling
# Percentage section below for a different strategy to ease into a new
# CRS installation.
#
# [ Anomaly Threshold / Paranoia Level Quadrant ]
#
# High Anomaly Limit | High Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Fresh Site | -> Experimental Site
# ------------------------------------------------------
# Low Anomaly Limit | Low Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Standard Site | -> High Security Site
#
# Uncomment this rule to change the defaults:
#
SecAction \
"id:900110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"
#
# -- [[ Application Specific Rule Exclusions ]] --------------------------------
#
# CRS 3.x contained exclusion packages to tweak the CRS for use with common
# web applications, lowering the number of false positives.
#
# In CRS 4, these are no longer part of the CRS itself, but they are available
# as "CRS plugins". Some plugins improve support for web applications, and others
# may bring new functionality. Plugins are not installed by default, but can be
# downloaded from the plugin registry:
# https://github.com/coreruleset/plugin-registry
#
# For detailed information about using and installing plugins, please see:
# https://coreruleset.org/docs/concepts/plugins/
#
# -- [[ Anomaly Score Reporting Level ]] ---------------------------------------
#
# When a request is blocked due to the anomaly score meeting or exceeding the
# anomaly threshold then the blocking rule will also report the anomaly score.
# This applies to the separate inbound and outbound anomaly scores.
#
# In phase 5, there are additional rules that can perform additional reporting
# of anomaly scores with a verbosity that depends on the reporting level defined
# below.
#
# By setting the reporting level you control whether you want additional
# reporting beyond the blocking rule or not and, if yes, which requests should
# be covered. The higher the reporting level, the more verbose the reporting is.
#
# There are 6 reporting levels:
#
# 0 - Reporting disabled
# 1 - Reporting for requests with a blocking anomaly score >= a threshold
# 2 - Reporting for requests with a detection anomaly score >= a threshold
# 3 - Reporting for requests with a blocking anomaly score greater than 0
# 4 - Reporting for requests with a detection anomaly score greater than 0
# 5 - Reporting for all requests
#
# Note: Reporting levels 1 and 2 make it possible to differentiate between
# requests that are blocked and requests that are *not* blocked but would have
# been blocked if the blocking PL was equal to detection PL. This may be useful
# for certain FP tuning methodologies, for example moving to a higher PL.
#
# A value of 5 can be useful on platforms where you are interested in logging
# non-scoring requests, yet it is not possible to report this information in
# the request/access log. This applies to Nginx, for example.
#
#SecAction \
# "id:900115,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.reporting_level=4"
#
# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------
#
# The anomaly scores for the request and the responses are generally summed up
# and evaluated at the end of phase:2 and at the end of phase:4 respectively.
# However, it is possible to enable an early evaluation of these anomaly scores
# at the end of phase:1 and at the end of phase:3.
#
# If a request (or a response) hits the anomaly threshold in this early
# evaluation, then blocking happens immediately (if blocking is enabled) and
# the phase 2 (and phase 4 respectively) will no longer be executed.
#
# Enable the rule 900120 that sets the variable tx.early_blocking to 1 in order
# to enable early blocking. The variable tx.early_blocking is set to 0 by
# default. Early blocking is thus disabled by default.
#
# Please note that early blocking will hide potential alerts from you. This
# means that a payload that would appear in an alert in phase 2 (or phase 4)
# does not get evaluated if the request is being blocked early. So when you
# disabled early blocking again at some point in the future, then new alerts
# from phase 2 might pop up.
#SecAction \
# "id:900120,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.early_blocking=1"
#
# -- [[ Initialize Default Collections ]] -----------------------------------
#
# CRS provides a centralized option to initialize and populate collections
# meant to be used by plugins (E.g.DoS protection plugin).
# By default, Global and IP collections (see rule 901320),
# being not used by core rules, are not initialized.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900130,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.enable_default_collections=1"
#
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
#
# This section defines your policies for the HTTP protocol, such as:
# - allowed HTTP versions, HTTP methods, allowed request Content-Types
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy)
#
# These variables are used in the following rule files:
# - REQUEST-911-METHOD-ENFORCEMENT.conf
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf
# HTTP methods that a client is allowed to use.
# Default: GET HEAD POST OPTIONS
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
# Uncomment this rule to change the default.
#
# The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL.
# If enabled, an attacker may be able to inject arbitrary, and potentially malicious, content into the application or on to the file system of the web server.
# Depending on the server's configuration, this may lead to compromise of other users (by uploading
# client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
# For this reason, the PUT method is disabled by default.
# GET, HEAD, POST and OPTIONS are seen as the minimal set of HTTP methods
# from a security perspective. For static sites, removing the POST is
# recommended. Add other HTTP methods as seen fit (see above).
#
SecAction \
"id:900200,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
#
# -- [[ HTTP Method Override Parameter ]] -------------------------------------
#
# Many web frameworks (Laravel, Rails, Symfony, CakePHP, Express.js, etc.)
# support overriding the HTTP method via a _method parameter in the query
# string or request body. This allows HTML forms to simulate PUT, PATCH,
# and DELETE requests.
#
# While this is legitimate framework behavior, it can be abused for:
# - WAF bypass (sending POST with _method=DELETE)
# - CSRF attacks bypassing SameSite=Lax cookie restrictions
# - Method-based ACL bypass
#
# By default, CRS blocks _method parameter usage at PL2+. If your application
# legitimately uses the _method parameter for method override, you can allow
# it by uncommenting the rule below.
#
# Note: The X-HTTP-Method-Override header is handled separately by rule 920450.
#
# Uncomment this rule to ALLOW _method parameter for method override:
#
#SecAction \
# "id:900210,\
# phase:1,\
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.allow_method_override_parameter=1'"
# Content-Types that a client is allowed to send in a request.
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |text/xml|
# |application/xml| |application/soap+xml| |application/json|
#
# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
# Content-Type with lowercase.
#
# Bypass Warning: some applications may not rely on the content-type request header in order
# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML
# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any
# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
# content type may still be interpreted as JSON by a backend application but would not trigger the
# JSON body parser at the WAF, leading to a bypass. To avoid bypasses, you must enable the appropriate
# body parser based on the expected data in the request bodies (For example JSON for JSON data, XML for XML data, etc).
#
# When additional JSON content types are legitimately used in a deployment,
# e.g. application/cloudevents+json, it is extremely important to ensure that a
# rule exists to enable the engine's JSON body processor for these additional
# JSON content types. Failure to do so can lead to a request body bypass. The
# default JSON rule in modsecurity.conf-recommended (200001) will only activate
# the JSON body processor for the specific content type application/json. The
# optional modsecurity.conf-recommended rule 200006 can be used to enable the
# JSON body processor for a wide variety of JSON content types.
#
# To prevent blocking request with not allowed content-type by default, you can create an exclusion
# rule that removes rule 920420. It's important that you enable the correct body parser when allowing
# an additional content type to prevent bypasses. For example, this rule enables the JSON body processor
# for the text/plain content type:
#SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \
# "id:1234,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none,\
# ctl:ruleRemoveById=920420,\
# ctl:requestBodyProcessor=JSON"
#
# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#ctl
# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#ctl
#
# Uncomment this rule to change the default.
#
#SecAction \
# "id:900220,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
# Allowed HTTP versions.
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0
# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0
# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so
# we include both version strings by default.
# Uncomment this rule to change the default.
#SecAction \
# "id:900230,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
# Guards against unintended exposure of development/configuration files.
# Default: .ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
# Note that .axd was removed due to false positives (see PR 1925).
#
# To additionally guard against configuration/install archive files from being
# accidentally exposed, common archive file extensions can be added to the
# restricted extensions list. An example list of common archive file extensions
# is presented below:
# .7z/ .br/ .bz/ .bz2/ .cab/ .cpio/ .gz/ .img/ .iso/ .jar/ .rar/ .tar/ .tbz2/ .tgz/ .txz/ .xz/ .zip/ .zst/
# (Source: https://en.wikipedia.org/wiki/List_of_archive_formats)
#
# Uncomment this rule to change the default.
#SecAction \
# "id:900240,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
# Restricted request headers.
# The HTTP request headers that CRS restricts are split into two categories:
# basic (always forbidden) and extended (may be forbidden). All header names
# should be lowercase and enclosed by /slashes/ as delimiters.
#
# [ Basic ]
# Includes deprecated headers and headers with known security risks. Always
# forbidden.
# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/
#
# /content-encoding/
# Used to list any encodings that have been applied to the original payload.
# Only used for compression, which isn't supported by CRS by default since CRS
# blocks newlines and null bytes inside the request body. Most compression
# algorithms require at least null bytes per RFC. Blocking Content-Encoding
# shouldn't break anything and increases security since WAF engines, including
# ModSecurity, are typically incapable of properly scanning compressed request
# bodies.
#
# /proxy/
# Blocking this prevents the 'httpoxy' vulnerability: https://httpoxy.org
#
# /lock-token/
#
# /content-range/
#
# /if/
#
# /x-http-method-override/
# /x-http-method/
# /x-method-override/
# Blocking these headers prevents method override attacks, as described here:
# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
#
# /x-middleware-subrequest/
# CVE-2025-29927 (Next.js)
#
# /expect/
# Blocking this header prevents Expect-based desync attacks
# https://portswigger.net/research/http1-must-die#expect-based-desync-attacks.
#
# The `System.Net.HttpWebRequest` library in .Net uses this header. Use of the header
# can be disabled by setting `ServicePointManager.Expect100Continue` to `false`
# (see https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.expect100continue?view=net-10.0).
#
# Uncomment this rule to change the default.
#SecAction \
# "id:900250,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/'"
#
# [ Extended ]
# Includes deprecated headers that are still in use (so false positives are
# possible) and headers with possible security risks. Forbidden at a higher
# paranoia level.
# Default: /accept-charset/
#
# /accept-charset/
# Deprecated header that should not be used by clients and should be ignored
# by servers. Can be used for a response WAF bypass by asking for a charset
# that the WAF cannot decode. Considered to be a good indicator of suspicious
# behavior but produces too many false positives to be forbidden by default.
# References:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
# https://github.com/coreruleset/coreruleset/issues/3140
#
# Uncomment this rule to change the default.
#SecAction \
# "id:900255,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
# The content-types are enclosed by |pipes| as delimiters to guarantee exact matches.
#
# You can add additional character sets if something more exotic is required. One caveat: you will also need to edit 'regex-assembly/include/allowed-charsets.ra' and rebuild all the associated regular expressions using `crs-toolchain regex update --all`. See https://coreruleset.org/docs/6-development/6-2-crs-toolchain/.
#
# Warning: If the WAF engine is unable to fully and correctly decode a newly added character encoding then this can lead to a full request body or response body bypass. Additional permitted character encodings should be added with caution and tested to ensure inspection is not affected.
#
# Default: |utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|
# Uncomment this rule to change the default.
#SecAction \
# "id:900280,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
# -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
#
# Here you can define optional limits on HTTP get/post parameters and uploads.
# This can help to prevent application specific DoS attacks.
#
# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf.
# Beware of blocking legitimate traffic when enabling these limits.
#
# Block request if number of arguments is too high
# Default: unlimited
# Example: 255
# Note that a hard limit by the engine may also apply here (SecArgumentsLimit).
# This would override this soft limit.
# Uncomment this rule to set a limit.
#SecAction \
# "id:900300,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
# Default: unlimited
# Example: 100
# Uncomment this rule to set a limit.
#SecAction \
# "id:900310,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
# Default: unlimited
# Example: 400
# Uncomment this rule to set a limit.
#SecAction \
# "id:900320,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
# Default: unlimited
# Example: 64000
# Uncomment this rule to set a limit.
#SecAction \
# "id:900330,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900340,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900350,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.combined_file_sizes=1048576"
#
# -- [[ Easing In / Sampling Percentage ]] -------------------------------------
#
# Adding the CRS to an existing productive site can lead to false
# positives, unexpected performance issues and other undesired side effects.
#
# It can be beneficial to test the water first by enabling the CRS for a
# limited number of requests only and then, when you have solved the issues (if
# any) and you have confidence in the setup, to raise the ratio of requests
# being sent into the ruleset.
#
# Adjust the percentage of requests that are funnelled into the Core Rules by
# setting TX.sampling_percentage below. The default is 100, meaning that every
# request gets checked by the CRS. The selection of requests, which are going
# to be checked, is based on a pseudo random number generated by ModSecurity.
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# written. If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf).
#
#SecRuleUpdateActionById 901450 "nolog"
#
# ATTENTION: If this TX.sampling_percentage is below 100, then some of the
# requests will bypass the Core Rules completely and you lose the ability to
# protect your service with ModSecurity.
#
# Uncomment this rule to enable this feature:
#
#SecAction \
# "id:900400,\
# phase:1,\
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.sampling_percentage=100"
#
# -- [[ Check UTF-8 encoding ]] ------------------------------------------------
#
# The CRS can optionally check request contents for invalid UTF-8 encoding.
# We only want to apply this check if UTF-8 encoding is actually used by the
# site; otherwise it will result in false positives.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900950,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.crs_validate_utf8_encoding=1"
# -- [[ Skip Checking Responses ]] ------------------------------------------------
#
# CRS will perform analysis of the response contents if this is enabled and you have
# the directive `SecResponseBodyAccess On`.
#
# Warning: this feature is _enabled_ by default, but depending on your applications
# you might be targeted in a Request Filter Denial of Service (RFDoS) attack.
#
# References: https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/
#
# Uncomment this rule to _skip checking responses_.
#
#SecAction \
# "id:900500,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.24.0-dev',\
# setvar:tx.crs_skip_response_analysis=1"
#
# -- [[ End of setup ]] --------------------------------------------------------
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# has been loaded. If you are not planning to use this setup template,
# you must manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecAction \
"id:900990,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:tx.crs_setup_version=4240"

7
nginx/modsec/owasp-crs/plugins/README.md Normal file
View File

@ -0,0 +1,7 @@
This is the folder where you install CRS plugins.
See https://github.com/coreruleset/plugin-registry
for a list of registered official and 3rd party plugins.
Plugins are documented in the CRS INSTALL file and
in also with said plugin registry.

0
nginx/modsec/owasp-crs/plugins/empty-after.conf Normal file
View File

0
nginx/modsec/owasp-crs/plugins/empty-before.conf Normal file
View File

0
nginx/modsec/owasp-crs/plugins/empty-config.conf Normal file
View File

200
nginx/modsec/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example Normal file
View File

@ -0,0 +1,200 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site. The
# types of rules that would go into this file are one where you want to
# short-circuit inspection and allow certain transactions to pass through
# inspection or if you want to alter rules that are applied.
#
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
# very specific reason. Files affixed with the .example extension are designed
# to contain user created/modified data. The '.example'. extension should be
# renamed to end in .conf. The advantage of this is that when OWASP CRS is
# updated, the updates will not overwrite a user generated configuration file.
#
# As a result of this design paradigm users are encouraged NOT to directly
# modify rules. Instead they should use this
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
# methods similar to the examples specified below.
#
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
# effectively maintains two different context: startup, and per transaction.
# As a rule, directives are processed within the startup context. While they
# can affect the per transaction context they generally remain fixed during the
# execution of ModSecurity.
#
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
# directive or one of its siblings would have to be placed AFTER the rule is
# listed, otherwise it will not have knowledge of the rules existence (since
# these rules are read in at the same time). This means that when using
# directives that effect SecRules, these exceptions should be placed AFTER all
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
# designed such that it loads LAST.
#
# Conversely, ModSecurity supports several actions that can change the state of
# the underlying configuration during the per transaction context, this is when
# rules are being processed. Generally, these are accomplished by using the
# 'ctl' action. As these are part of a rule, they will be evaluated in the
# order rules are applied (by physical location, considering phases). As a
# result of this ordering a 'ctl' action should be placed with consideration to
# when it will be executed. This is particularly relevant for the 'ctl' options
# that involve modifying ID's (such as ruleRemoveById). In these cases it is
# important that such rules are placed BEFORE the rule ID they will affect.
# Unlike the setup context, by the time we process rules in the per-transaction
# context, we are already aware of all the rule ID's. It is by this logic that
# we include rules such as this BEFORE all the remaining rules. As a result
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
#
# As a general rule:
# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
#
# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
#
#
# What follows are a group of examples that show you how to perform rule
# exclusions.
#
#
# Example Exclusion Rule: Disable inspection for an authorized client
#
# This ruleset allows you to control how ModSecurity will handle traffic
# originating from Authorized Vulnerability Scanning (AVS) sources. See
# related blog post -
# https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-advanced-topic-of-the-week-handling-authorized-scanning-traffic/
#
# Allow List ASV network block (no blocking or logging of AVS traffic) Update
# IP network block as appropriate for your AVS traffic
#
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
# "id:1000,\
# phase:1,\
# pass,\
# nolog,\
# ctl:ruleEngine=Off"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for an individual rule
#
# This rule shows how to conditionally exclude the "password"
# parameter for rule 942100 when the REQUEST_URI is /index.php
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
#
# SecRule REQUEST_URI "@beginsWith /index.php" \
# "id:1001,\
# phase:1,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetById=942100;ARGS:password"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for only certain attacks
#
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all rules tagged attack-sqli
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1002,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for all CRS rules
#
# This rule illustrates that we can use tagging very effectively to allow list a
# common false positive across an entire ModSecurity instance. This can be done
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
# affect custom rules.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all CRS rules
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1003,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
#
# Example Exclusion Rule: Removing a range of rules
#
# This rule illustrates that we can remove a rule range via a ctl action.
# This uses the fact, that rules are grouped by topic in rule files covering
# a certain id range.
# IMPORTANT: ModSecurity v3, aka libModSecurity, does not currently support the
# use of rule ranges in a ruleRemoveById ctl action (this feature has been
# planned for v3.1). Consider using ruleRemoveByTag as a workaround, if
# appropriate.
#
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
# SecRule REQUEST_FILENAME "@beginsWith /admin" \
# "id:1004,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveById=941000-942999"
#
#
# The application-specific rule exclusion plugins
# (see: https://github.com/coreruleset/plugin-registry)
# provide additional examples which can be useful then tuning a service.
#
# Example Rule: Allow monitoring tools and scripts
#
# Uncomment this rule to allow all requests from trusted IPs and User-Agent.
# This can be useful for monitoring tools like Monit, Nagios, or other agents.
# For example, if you're using AWS Load Balancer, you may need to trust all
# requests from "10.0.0.0/8" subnet that come with the user-agent
# "ELB-HealthChecker/2.0". By doing this, all requests that match these
# conditions will not be matched against the following rules:
#
# - id: 911100 (allowed methods)
# - id: 913100 (scan detection)
# - id: 920280 (missing/empty host header)
# - id: 920350 (IP address in host header)
# - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules)
#
# SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \
# "id:1005,\
# phase:1,\
# pass,\
# nolog,\
# chain"
# SecRule REQUEST_METHOD "@pm GET HEAD" "chain"
# SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \
# "ctl:ruleRemoveById=911100,\
# ctl:ruleRemoveById=913100,\
# ctl:ruleRemoveById=920280,\
# ctl:ruleRemoveById=920350,\
# ctl:ruleRemoveByTag=attack-disclosure"

491
nginx/modsec/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf Normal file
View File

@ -0,0 +1,491 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
# and performs preparatory actions. It also fixes errors and omissions
# of variable definitions in the file crs-setup.conf.
# The crs-setup.conf can and should be edited by the user, this file
# is part of the CRS installation and should not be altered.
#
#
# -=[ Rules Version ]=-
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
#
# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
#
SecComponentSignature "OWASP_CRS/4.24.0-dev"
#
# -=[ Default setup values ]=-
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# file is included at the correct time. This detects situations where
# necessary settings are not defined, for instance if the file
# inclusion order is incorrect, or if the user has forgotten to
# include the crs-setup.conf file.
#
# If you are upgrading from an earlier version of the CRS and you are
# getting this error, please make a new copy of the setup template
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
# changes. There have been many changes in settings syntax from CRS2
# to CRS3, so an old setup file may cause unwanted behavior.
#
# If you are not planning to use the crs-setup.conf template, you must
# manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecRule &TX:crs_setup_version "@eq 0" \
"id:901001,\
phase:1,\
deny,\
status:500,\
log,\
auditlog,\
msg:'CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL'"
#
# -=[ Default setup values ]=-
#
# Some constructs or individual rules will fail if certain parameters
# are not set in the crs-setup.conf file. The following rules will catch
# these cases and assign sane default values.
#
# Default Inbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
"id:901110,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Reporting Level (rule 900115 in crs-setup.conf)
SecRule &TX:reporting_level "@eq 0" \
"id:901111,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.reporting_level=4'"
# Default Early Blocking (rule 900120 in crs-setup.conf)
SecRule &TX:early_blocking "@eq 0" \
"id:901115,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.early_blocking=0'"
# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
SecRule &TX:blocking_paranoia_level "@eq 0" \
"id:901120,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_paranoia_level=1'"
# Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
SecRule &TX:detection_paranoia_level "@eq 0" \
"id:901125,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
# Default Sampling Percentage (rule 900400 in crs-setup.conf)
SecRule &TX:sampling_percentage "@eq 0" \
"id:901130,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in crs-setup.conf)
SecRule &TX:critical_anomaly_score "@eq 0" \
"id:901140,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
"id:901141,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
"id:901142,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
"id:901143,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.notice_anomaly_score=2'"
# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
SecRule &TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
SecRule &TX:allowed_request_content_type "@eq 0" \
"id:901162,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
"id:901168,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
SecRule &TX:allowed_http_versions "@eq 0" \
"id:901163,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
SecRule &TX:restricted_extensions "@eq 0" \
"id:901164,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
SecRule &TX:restricted_headers_basic "@eq 0" \
"id:901165,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/'"
# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
SecRule &TX:restricted_headers_extended "@eq 0" \
"id:901171,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.restricted_headers_extended=/accept-charset/'"
#
# -=[ Method Override Parameter Configuration ]=-
#
# Initialize the allow_method_override_parameter variable.
# This controls whether the _method parameter is permitted for HTTP method
# override (used by frameworks like Laravel, Rails, Symfony).
#
# To allow _method parameter, set tx.allow_method_override_parameter=1
# in crs-setup.conf (see rule 900510).
#
SecRule &TX:allow_method_override_parameter "@eq 0" \
"id:901510,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.allow_method_override_parameter=0'"
# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
"id:901167,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
"id:901169,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.crs_validate_utf8_encoding=0'"
# Default check for skipping response analysis (rule 900500 in crs-setup.conf)
SecRule &TX:crs_skip_response_analysis "@eq 0" \
"id:901170,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.crs_skip_response_analysis=0'"
#
# -=[ Initialize internal variables ]=-
#
# Initialize anomaly scoring variables.
# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
SecAction \
"id:901200,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=0',\
setvar:'tx.detection_inbound_anomaly_score=0',\
setvar:'tx.inbound_anomaly_score_pl1=0',\
setvar:'tx.inbound_anomaly_score_pl2=0',\
setvar:'tx.inbound_anomaly_score_pl3=0',\
setvar:'tx.inbound_anomaly_score_pl4=0',\
setvar:'tx.sql_injection_score=0',\
setvar:'tx.xss_score=0',\
setvar:'tx.rfi_score=0',\
setvar:'tx.lfi_score=0',\
setvar:'tx.rce_score=0',\
setvar:'tx.php_injection_score=0',\
setvar:'tx.http_violation_score=0',\
setvar:'tx.session_fixation_score=0',\
setvar:'tx.blocking_outbound_anomaly_score=0',\
setvar:'tx.detection_outbound_anomaly_score=0',\
setvar:'tx.outbound_anomaly_score_pl1=0',\
setvar:'tx.outbound_anomaly_score_pl2=0',\
setvar:'tx.outbound_anomaly_score_pl3=0',\
setvar:'tx.outbound_anomaly_score_pl4=0',\
setvar:'tx.anomaly_score=0'"
#
# -=[ Initialize collections ]=-
#
# Create both Global and IP collections for rules to use.
# Some plugins assume that these two collections have already
# been initialized.
# IP collection is initialized with the IP address concatened with the hashed user agent.
# Disable collection initialization by default (see rule 900130 in crs-setup.conf)
# The creation of the IP and the GLOBAL collection is not being tested as
# of this writing due to limits in ftw and our testing setup.
# Proper testing would involve the checking of a variable in the said collections.
SecRule &TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
"id:901320,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\
chain"
SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
"chain"
SecRule TX:ua_hash "@unconditionalMatch" \
"t:none,t:sha1,t:hexEncode,\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{MATCHED_VAR}"
#
# -=[ Initialize Correct Body Processing ]=-
#
# Force request body variable and optionally request body processor
#
# Force body variable
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"id:901340,\
phase:1,\
pass,\
nolog,\
noauditlog,\
msg:'Enabling body inspection',\
tag:'OWASP_CRS',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/4.24.0-dev'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
"id:901350,\
phase:1,\
pass,\
t:none,t:urlDecodeUni,\
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
#
# -=[ Easing In / Sampling Percentage ]=-
#
# This is used to send only a limited percentage of requests into the Core
# Rule Set. The selection is based on TX.sampling_percentage and a pseudo
# random number calculated below.
#
# Use this to ease into a new Core Rules installation with an existing
# productive service.
#
# See
# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/
#
#
# Generate the pseudo random number
#
# ATTENTION: This is no cryptographically secure random number. It's just
# a cheap way to get some random number suitable for sampling.
#
# We take the entropy contained in the UNIQUE_ID. We hash that variable and
# take the first integer numbers out of it. Theoretically, it is possible
# but highly improbable that there are no integers in a hexEncoded sha1 hash.
# In the very rare event that two integers are not matched (due to only being
# a-f in all, or all but one positions) 901450 will not be triggered.
# Leading zeros are not removed from the two-digit random number, and are
# handled gracefullly by 901450
SecRule TX:sampling_percentage "@eq 100" \
"id:901400,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
"id:901410,\
phase:1,\
pass,\
capture,\
t:sha1,t:hexEncode,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
#
# Sampling decision
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# being written. If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
#
# SecRuleUpdateActionById 901450 "nolog"
#
SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
"id:901450,\
phase:1,\
pass,\
log,\
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
tag:'OWASP_CRS',\
ctl:ruleRemoveByTag=OWASP_CRS,\
ver:'OWASP_CRS/4.24.0-dev'"
SecMarker "END-SAMPLING"
#
# Configuration Plausibility Checks
#
# Make sure detection paranoia level is not lower than paranoia level
SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
"id:901500,\
phase:1,\
deny,\
status:500,\
t:none,\
log,\
msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev'"

57
nginx/modsec/owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf Normal file
View File

@ -0,0 +1,57 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# This file is used as an exception mechanism to remove common false positives
# that may be encountered.
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "@streq GET /" \
"id:905100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
ctl:ruleRemoveByTag=OWASP_CRS,\
ctl:auditEngine=Off"
#
# Exception for Apache internal dummy connection
#
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"id:905110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\
chain"
SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
"t:none,\
ctl:ruleRemoveByTag=OWASP_CRS,\
ctl:auditEngine=Off"

76
nginx/modsec/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf Normal file
View File

@ -0,0 +1,76 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Allowed Request Methods ]=-
#
# tx.allowed_methods is defined in the crs-setup.conf file
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
"id:911100,\
phase:1,\
block,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/METHOD-ENFORCEMENT',\
tag:'capec/1000/210/272/220/274',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT"

86
nginx/modsec/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf Normal file
View File

@ -0,0 +1,86 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Security Scanner Checks ]=-
#
# This rule inspects the default User-Agent and Header values sent by
# various commercial and open source scanners, mostly
# security / vulnerability scanners.
#
# It is based on a curated list of known malicious scanners in widespread use.
# This list is maintained in scanners-user-agents.data.
#
# With CRSv4, the project has given up on keeping track of different categories
# of scanners and scripting agents, mostly because it's very hard to draw
# a line between benign, mostly benign and malicious. And because dedicated
# attackers will change the user agent anyways.
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,\
phase:1,\
block,\
capture,\
t:none,\
msg:'Found User-Agent associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/SCANNER-DETECTION',\
tag:'capec/1000/118/224/541/310',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-913-SCANNER-DETECTION"

1989
nginx/modsec/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Normal file
View File

File diff suppressed because it is too large Load Diff

608
nginx/modsec/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf Normal file
View File

@ -0,0 +1,608 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character.
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
# tests carried out on the primary request.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
#
SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" \
"id:921110,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Request Smuggling Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ HTTP Response Splitting ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a response header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \
"id:921120,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'HTTP Response Splitting Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \
"id:921130,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Response Splitting Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ HTTP Header Injection ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
# on their own or in combination with header field names.
# These characters may cause problems if the data is returned in a response header
# and interpreted by the client.
# The rules are similar to rules defending against the HTTP Request Splitting and
# Request Smuggling rules.
#
# [ References ]
# https://en.wikipedia.org/wiki/HTTP_header_injection
#
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
"id:921140,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'HTTP Header Injection Attack via headers',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/273',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Detect newlines in argument names.
# Checking for GET arguments has been moved to paranoia level 2 (921151)
# in order to mitigate possible false positives.
#
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
SecRule ARGS_NAMES "@rx [\n\r]" \
"id:921150,\
phase:2,\
block,\
capture,\
t:none,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
"id:921160,\
phase:1,\
block,\
capture,\
t:none,t:lowercase,\
msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# -=[ HTTP Splitting ]=-
#
# This rule detect \n or \r in the REQUEST FILENAME
# Reference: https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
# Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
#
SecRule REQUEST_FILENAME "@rx [\n\r]" \
"id:921190,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'HTTP Splitting (CR/LF in request filename detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ LDAP Injection ]=-
#
# [ Rule Logic ]
#
# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada
# and regex writing by Denis Kolegov.
#
# [ References ]
# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
# * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^!&\(\):<>\|~]*\)[\s\x0b]*(?:\((?:[^!&\(\),<->\|~]+[<>~]?=|[\s\x0b]*[!&\|][\s\x0b]*[\(\)]?[\s\x0b]*)|\)[\s\x0b]*\([\s\x0b]*[!&\|][\s\x0b]*|[!&\|][\s\x0b]*\([^!&\(\),<->\|~]+[<>~]?=[^!&\(\):<>\|~]*)" \
"id:921200,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,\
msg:'LDAP Injection Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-ldap',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/152/248/136',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ Body Processor Bypass ]=-
#
# [ Rule Logic ]
#
# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used.
#
# Regular expression generated from regex-assembly/921421.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 921421
#
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \
"id:921421,\
phase:1,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/255/153',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# Rule against CVE-2021-40438:
# A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.
# This issue affects Apache HTTP Server 2.4.48 and earlier.
# GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/
#
SecRule REQUEST_URI_RAW "@rx unix:[^|]*\|" \
"id:921240,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'mod_proxy attack attempt detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Detection for old V1 cookie format from RFC 2109.
#
# This has been abused by the cookie sandwich technique, in diverse issues affecting Apache Tomcat, Python, and maybe others.
# RFC 6265 deprecated and replaced RFCs 2109 and 2965.
# It completely removed "$Version", meaning user agents and servers no longer use this attribute.
# See:
# - https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique
# - https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat
SecRule REQUEST_COOKIES:/\x22?\x24Version/ "@streq 1" \
"id:921250,\
phase:1,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Old Cookies V1 usage attempt detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# Detect newlines in GET argument values.
# These may point to a HTTP header injection attack, but can also sometimes
# occur in benign query parameters.
#
# See also: rule 921140, 921150
#
SecRule ARGS_GET "@rx [\n\r]" \
"id:921151,\
phase:1,\
block,\
capture,\
t:none,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
#
# -=[ Body Processor Bypass ]=-
#
# [ Rule Logic ]
#
# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
#
# [ References ]
# * See rule 921422
#
# Regular expression generated from regex-assembly/921422.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 921422
#
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \
"id:921422,\
phase:1,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/255/153',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
#
# Forbid Request Range Header
#
# It is possible abuse the HTTP Request Range Header to leak error pages
# and other information in very small snippets.
# The easiest way to fight this is to deny the use of this header.
# This is a viable option since the header is only used in rare circumstances
# anymore.
# If it is necessary to use it in a certain setup, then it is best to
# create a rule exclusion for a given URI and this rule ID as a workaround.
#
SecRule &REQUEST_HEADERS:Range "@gt 0" \
"id:921230,\
phase:1,\
block,\
t:none,\
msg:'HTTP Range Header detected',\
logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
# -=[ HTTP Parameter Pollution ]=-
#
# [ Rule Logic ]
# These rules look for multiple parameters with the same name.
# 921170 counts the occurrences of the individual parameters.
# 921180 checks if any counter is > 1.
#
# One HPP attack vector is to try evade signature filters by distributing the
# attack payload across multiple parameters with the same name.
# This works as many security devices only apply signatures to individual
# parameter payloads, however the back-end web application may (in the case
# of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# This rule is not compatible with application endpoints that accept this
# kind of input: /foo.php?test[]=1&test[]=2
#
# [ References ]
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
# https://capec.mitre.org/data/definitions/460.html
#
SecRule ARGS_NAMES "@rx ." \
"id:921170,\
phase:2,\
pass,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
"id:921180,\
phase:2,\
block,\
msg:'HTTP Parameter Pollution (%{MATCHED_VAR_NAME})',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
# -=[ HTTP Parameter Pollution ]=-
#
# [ Rule Logic ]
# Parameter pollution rule 921180 PL3 can by bypassed when a weak backend parameter
# parser is ignoring additional characters in a parameter array name after the
# closing of the array.
# Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has
# been closed or inbetween the square brackets in multidimensional arrays.
# Please note that rule 921210 allows for 2-dimensional, but not for higher dimensional
# arrays. If these are flagged as attacks, a rule exclusion will have to be
# deployed; ideally for the parameter(s) in question.
#
# [ References ]
# Private bug bounty in Spring 2022, findings Z05OZUCH.
#
# [ Payloads ]
# * foo[1]a=bar&foo[1]b=<evil> - parameter parsers often cut after the closing of
# the array. 921180 PL3 takes the full name, though.
# This impediance mismatch allows for bypasses.
# * foo[1]x[1]=bar&foo[1]x[2]=<evil> - extension of 1; this has the advantage that
# the parameter name does end with "]" just like a valid array notation.
#
SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
"id:921210,\
phase:2,\
block,\
capture,\
log,\
msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
# -=[ HTTP Parameter Pollution ]=-
#
# [ Rule Logic ]
# Parameter pollution rule 921180 PL3 and 921210 PL3 can by bypassed if a
# weak backend parameter parser ignores parameter array alltogether at
# cuts parameter names at the first occurrence of the "[" character.
# The rule 921220 PL4 prevents this by disallowing parameter array names.
#
# If an application needs parameter array names - which is the case for almost
# all CMS - this rule should be disabled. Otherwise, be prepared to handle
# a high volume of exclusions to configure, particularly on administration
# panels.
#
# [ References ]
# Private bug bounty in Spring 2022, finding 5UXE4RK0.
#
# [ Payloads ]
# * foo[1]=bar&foo[2]=<evil>
# * foo=bar&foo[1]=<evil>
# * foo[1]=bar&foo[1]acb]=<evil> - this is an edge case that 921210 PL3 is not
# able to catch since the parameter name ends with "]".
#
SecRule ARGS_NAMES "@rx \[" \
"id:921220,\
phase:2,\
block,\
capture,\
log,\
msg:'HTTP Parameter Pollution possible via array notation',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL-ATTACK',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"

157
nginx/modsec/owasp-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf Normal file
View File

@ -0,0 +1,157 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# This file is to address the 3UWMWA6W vulnerability.
# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
# of the security fixes in these versions) or a compatible engine supporting these changes.
#
# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
# In that case, you can temporarily delete this file. However, you will be missing
# protection from these rules. Therefore, we recommend upgrading your engine instead.
# The rules in this file will be part of the 920 / 921 in the future.
# Only allow specific charsets when using "_charset_"
# Note: this is in phase:2 because these are headers that come in the body
SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
"id:922100,\
phase:2,\
block,\
t:none,\
msg:'Multipart content type global _charset_ definition is not allowed by policy',\
logdata:'Matched Data: %{ARGS._charset_}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-multipart-header',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/MULTIPART-ATTACK',\
tag:'capec/1000/255/153',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
chain"
SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \
"t:lowercase,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Only allow specific charsets same as Rule 920600
# Note: this is in phase:2 because these are headers that come in the body
#
# How do these rules work:
# * rule 922140 sets the multipart counter TX variable to 0
# note that this is why does not matter if more parts have the same name - see rule's test
# * rule 922150 collects all multipart headers' 'Content-Type' value
# eg. 'text/plain; charset=utf-8'
# * rule 922110 checks all the collected headers' content type and charset
#
SecRule &MULTIPART_PART_HEADERS "@gt 0" \
"id:922140,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'attack-multipart-header',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/MULTIPART-ATTACK',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.multipart_headers_content_counter=0'"
SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
"id:922150,\
phase:2,\
pass,\
capture,\
t:none,t:lowercase,\
nolog,\
tag:'attack-multipart-header',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/MULTIPART-ATTACK',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\
setvar:'tx.multipart_headers_content_counter=+1'"
# Regular expression generated from regex-assembly/922110.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 922110
SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
"id:922110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Illegal MIME Multipart Header content-type: charset parameter',\
logdata:'Matched Data: %{MATCHED_VAR} found within Content-Type multipart form',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-multipart-header',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/MULTIPART-ATTACK',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
# Note: this is in phase:2 because these are headers that come in the body
SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
"id:922120,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\
logdata:'Matched Data: %{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-multipart-header',\
tag:'attack-deprecated-header',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/MULTIPART-ATTACK',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Multipart header names can't contain any characters outside of range 33 and 126,
# excluding 58 (':') which is the separator.
# RFC 2045 refers RFC 822 about the header syntax.
# Note: this is in phase:2 because these are headers that come in the body
SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
"id:922130,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Multipart header contains characters outside of valid range',\
logdata:'Matched Data: %{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-multipart-header',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/MULTIPART-ATTACK',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

204
nginx/modsec/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf Normal file
View File

@ -0,0 +1,204 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
# Regular expression generated from regex-assembly/930100.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 930100
#
SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[01]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \
"id:930100,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Path Traversal Attack (/../) or (/.../)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-LFI',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
# [ Decoded /../ or /..;/ Payloads ]
#
# To prevent '..' from triggering, the regexp is split into two parts:
# - ../
# - /..
# OR
# - .../
# - /...
#
# Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat)
#
SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])" \
"id:930110,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
msg:'Path Traversal Attack (/../) or (/.../)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-LFI',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
# -=[ OS File Access ]=-
#
# We check for OS file access with the help of a local file with OS files data.
#
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
#
# If you wonder where support for Google OAuth2 has gone, see:
# https://github.com/coreruleset/google-oauth2-plugin
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \
"id:930120,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\
msg:'OS File Access Attempt',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-LFI',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ Restricted File Access ]=-
#
# Detects attempts to retrieve application source code, metadata,
# credentials and version control history possibly reachable in a web root.
#
SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
"id:930130,\
phase:1,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\
msg:'Restricted File Access Attempt',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-LFI',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ OS File Access ]=-
#
# This is a stricter sibling of rule 930120.
# This stricter sibling checks for OS file data in request headers referer and user-agent.
# We check for OS file access with the help of a local file with OS files data.
#
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
#
SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-files.data" \
"id:930121,\
phase:1,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\
msg:'OS File Access Attempt in REQUEST_HEADERS',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-LFI',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"

195
nginx/modsec/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Normal file
View File

@ -0,0 +1,195 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# RFI Attacks
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
# - URL Contains an IP Address
# - The PHP "include()" Function
# - RFI Data Ends with Question Mark(s) (?)
# - RFI Host Doesn't Match Local Host
#
# Note: brackets around IPv6 literals are mandatory per RFC 2732,
# but have been made optional here - just in case - to account for rare
# non-standard implementations or parsing inconsistencies.
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
# https://datatracker.ietf.org/doc/html/rfc2732
#
SecRule ARGS|XML:/* "@rx (?i)^(file|ftps?|https?|ssh)://(?:\[?[a-f0-9]+:[a-f0-9:]+\]?|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
"id:931100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-RFI',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \
"id:931110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-RFI',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
"id:931120,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-RFI',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# url:file:// can be used by Java applications using
# org.apache.commons.io.IOUtils to access internal files, so this has been added
#
# This rule has one (stricter) sibling: 931131.
# That rule applies the same regular expression to the request filename in phase 1.
#
# Regular expression generated from regex-assembly/931130.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 931130
#
SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)" \
"id:931130,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-RFI',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# This is a sibling of 931130.
#
# Regular expression generated from regex-assembly/931131.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 931131
#
SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \
"id:931131,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Remote File Inclusion (RFI) Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-RFI',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI"

2215
nginx/modsec/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Normal file
View File

File diff suppressed because one or more lines are too long

938
nginx/modsec/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf Normal file
View File

File diff suppressed because one or more lines are too long

432
nginx/modsec/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf Normal file
View File

@ -0,0 +1,432 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
# [ NodeJS Insecure unserialization / generic RCE signatures ]
#
# Libraries performing insecure unserialization:
# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941)
# - funcster: __js_function
#
# See:
# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
#
# Some generic snippets used:
# - function() {
# - new Function(
# - eval(
# - String.fromCharCode(
#
# Last two are used by nodejsshell.py,
# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
#
# As base64 is sometimes (but not always) used to encode serialized values,
# use multiMatch and t:base64decode.
#
# Regular expression generated from regex-assembly/934100.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934100
#
# Stricter sibling: 934101
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\x0b]+Function[\s\x0b]*)\(|(?:String\.fromCharCod|Module:prototyp)e|function\(\)\{|this\.constructor|module\.exports=|\([\s\x0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\x0b]*\)|cons(?:tructor:constructor|ole(?:\.(?:(?:debu|lo)g|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:(?:debu|lo)g|error|info|trace|warn)[\"'`]\]))|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \
"id:934100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,\
msg:'Node.js Injection Attack 1/2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-javascript',\
tag:'platform-multi',\
tag:'platform-nodejs',\
tag:'attack-rce',\
tag:'attack-injection-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# -=[ SSRF Attacks ]=-
#
# We provide only partial protection to SSRF. DNS Rebinding attacks needs
# to be handled at application level, and even those might be difficult to catch.
#
# PL1 rules are based on common attacks on cloud providers, based on well-known URLs.
#
# -=[ References ]=-
# https://highon.coffee/blog/ssrf-cheat-sheet/
# https://cwe.mitre.org/data/definitions/918.html
# https://capec.mitre.org/data/definitions/664.html)
#
# Preventing: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf.data" \
"id:934110,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-ssrf',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# This rule detects SSRF attempts using hostnames without schemes.
# Some frameworks and libraries add implicit 'http://' or 'https://' schemes
# when processing URLs, making scheme-less hostnames effective attack vectors.
#
# Examples:
# - localhost/
# - host.docker.internal/
# - kubernetes.default.svc.cluster.local/
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf-no-scheme.data" \
"id:934190,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Server Side Request Forgery (SSRF) Attack: Scheme-less localhost or internal hostname detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-ssrf',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# JavaScript prototype pollution injection attempts
#
# Example from https://hackerone.com/reports/869574 critical
# vulnerability in the TypeORM library:
# {"text":"a","title":{"__proto__":{"where":{"name":"sqlinjection","where":null}}}}
#
# Test cases are based on this list of payloads:
# https://github.com/BlackFan/client-side-prototype-pollution/blob/master/README.md
#
# See also: https://cwe.mitre.org/data/definitions/1321.html
#
# Note: only server-based (not DOM-based) attacks are covered here.
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\]?\[)\s*prototype)" \
"id:934130,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,\
msg:'JavaScript Prototype Pollution',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-javascript',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'attack-injection-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1/180/77',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# [ Ruby generic RCE signatures ]
#
# Detects Ruby-based injection attacks.
# Example: Process.spawn("id")
#
# Regular expression generated from regex-assembly/934150.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934150
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\x0b]*\.[\s\x0b]*spawn[\s\x0b]*\(" \
"id:934150,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Ruby Injection Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-ruby',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'attack-injection-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# [ NodeJS DoS signatures ]
#
# NodeJS runs in a single thread, so any evaluated payloads that block execution can cause an easy DoS.
# This rule attempts to block e.g. while(true).
#
# Regular expression generated from regex-assembly/934160.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934160
#
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\x0b]*\([\s\x0b\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{[^\}]*\}|\[[^\]]*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \
"id:934160,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,\
msg:'Node.js DoS attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-javascript',\
tag:'platform-nodejs',\
tag:'attack-rce',\
tag:'attack-injection-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# [ PHP data: scheme ]
#
# PHP supports the `data:` scheme without using `//` before the content-type.
#
# Regular expression generated from regex-assembly/934170.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934170
#
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*" \
"id:934170,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'PHP data scheme attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-ssrf',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# This rule is a stricter sibling of 934100.
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\x0b]*\(" \
"id:934101,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\
msg:'Node.js Injection Attack 2/2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-javascript',\
tag:'platform-nodejs',\
tag:'attack-rce',\
tag:'attack-injection-generic',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# -=[ SSRF Attacks ]=-
#
# PL2 rules adds SSRF capture for common evasion techniques.
#
# We add captures for these evasion techniques: (see source in util/regexp-assemble/data/regexp-934120.data)
# http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100)
# http://2852039166/ Dotless decimal - \d{10}
# http://7147006462/ Dotless decimal with overflow - \d{10}
# http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal - (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2}
# http://0xA9FEA9FE/ Dotless hexadecimal - 0x[a-f0-9]{8}
# http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow - 0x[a-f0-9]{16}
# http://0251.0376.0251.0376/ Dotted octal - Covered by the same below
# http://0251.00376.000251.0000376/ Dotted octal with padding - (?:0{1,4}\d{3}\.){3}0{1,4}\d{3})
# http://169.254.43518/ - (?:\d{1,3}\.){2}\.\d{5}
# http://169.16689662/ - \d{1,3}\.\d{8}
# http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below)
# http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded - (?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d))
# http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 - ((?:[0-9a-fA-F]{1,4}:){6}(?:(25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d))
# http://[::]
# http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100)
# http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100)
# http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100)
# http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100)
# http://google.com:80+&@127.88.23.245:22/#+@google.com:80/
# http://google.com:80+&@google.com:80#+@127.88.23.245:22/
#
# Regular expression generated from regex-assembly/934120.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934120
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip):/?/?(?:[0-9]{7,10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\x{e2}(?:\x91[\xa0-\x{bf}]|\x92[\x80-\x{bf}]|\x93[\x80-\x{a9}\x{ab}-\x{bf}])|\x{e3}\x80\x82)+)" \
"id:934120,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-ssrf',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# [ Perl generic RCE signatures ]
#
# Detects Perl-based injection attacks.
# Example: @{[system whoami]}
#
# Regular expression generated from regex-assembly/934140.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934140
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx @+\{[\s\x0b]*\[" \
"id:934140,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Perl Injection Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-perl',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'attack-injection-generic',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# [ Generic RCE signatures ]
#
# Detects General SSTI attacks.
# Example: <%= File.open('/etc/passwd').read %>
# Note: there is another rule 941380 that checks for {{.*}} regex.
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\{%[^%}]*%}|<%=?[^%>]*%>)" \
"id:934180,\
phase:2,\
block,\
capture,\
t:none,\
msg:'SSTI Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'platform-multi',\
tag:'attack-ssti',\
tag:'attack-injection-generic',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-GENERIC',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-934-APPLICATION-ATTACK-GENERIC"

1105
nginx/modsec/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf Normal file
View File

File diff suppressed because it is too large Load Diff

1964
nginx/modsec/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Normal file
View File

File diff suppressed because it is too large Load Diff

135
nginx/modsec/owasp-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf Normal file
View File

@ -0,0 +1,135 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
# http://projects.webappsec.org/w/page/13246960/Session%20Fixation
# http://capec.mitre.org/data/definitions/61.html
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"id:943100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\.sid|laravel_session)$" \
"id:943110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
logdata:'Matched Data: %{TX.0} found within %{TX.943110_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
chain"
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" \
"capture,\
chain"
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\.sid|laravel_session)$" \
"id:943120,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
logdata:'Matched Data: %{TX.0} found within %{TX.943120_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

464
nginx/modsec/owasp-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf Normal file
View File

@ -0,0 +1,464 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
# This rule is also triggered by an Apache Struts exploit:
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
#
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
#
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
#
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\.lang\.(?:runtime|processbuilder)" \
"id:944100,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'Remote Command Execution: Suspicious Java class detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/137/6',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
# Generic rule to detect processbuilder or runtime calls, if any of those is found and the same target contains
# java. unmarshaller or base64data to trigger a potential payload execution
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:runtime|processbuilder)" \
"id:944110,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS|XML:/*|XML://@* "@rx (?i)(?:unmarshaller|base64data|java\.)" \
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
"id:944120,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \
"@pmFromFile java-classes.data" \
"id:944130,\
phase:2,\
block,\
t:none,\
msg:'Suspicious Java class detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ Java Script Uploads ]
#
# Block file uploads with filenames ending in Java scripts (.jsp, .jspx)
#
# Many application contain Unrestricted File Upload vulnerabilities.
# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
#
# Attackers may use such a vulnerability to achieve remote code execution
# by uploading a script file. If the upload storage location is predictable
# and not adequately protected, the attacker may then request the uploaded
# file and have the code within it executed on the server.
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:jsp|jspx)\.*$" \
"id:944140,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Java Injection Attack: Java Script File Upload Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-injection-java',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Log4J / Log4Shell Defense
#
# This addresses exploits against the Log4J library described in several CVEs:
# * CVE-2021-44228
# * CVE-2021-44832
# * CVE-2021-45046
# * CVE-2021-45105
#
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
#
# This rule attempts to detect two things:
# * Nested use of ${
# * use of ${jndi:... without the closing bracket
#
# Rule 932130 is also essential for defense since there are certain
# bypasses of the log4j rules that can be caught by 932130.
#
# The payload is not displayed in the alert message since log4j could
# potentially be executed on the logviewer.
#
# This rule has stricter siblings: 944151 (PL2), 944152 (PL4)
#
# Regular expression generated from regex-assembly/944150.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 944150
#
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|&dollar;?)(?:\{|&l(?:brace|cub);?)(?:[^\}]{0,15}(?:\$|&dollar;?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \
"id:944150,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\
log,\
msg:'Potential Remote Command Execution: Log4j / Log4shell',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/137/6',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# This is a stricter sibling of 944150.
# It is a re-iteration of said rule without the curly bracket distance limiter
# between the nested "${". This is prone to backtracking and therefore a potential
# DoS problem for backtracking regular expression engines (e.g. PCRE2), but it also avoids evasions that fill the space between the nested
# elements with arbitrary data.
#
# Regular expression generated from regex-assembly/944151.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 944151
#
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|&dollar;?)(?:\{|&l(?:brace|cub);?)(?:[^\}]*(?:\$|&dollar;?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \
"id:944151,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\
log,\
msg:'Potential Remote Command Execution: Log4j / Log4shell',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/137/6',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
#
# Detect exploitation of "Java deserialization" Apache Commons.
#
# Based on rules by @spartantri.
# https://spartantri.com/ModSecurity/?p=44
#
# Interesting references about the vulnerability
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
#
# Potential false positives with random fields, the anomaly level is set low to avoid blocking request
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx \xac\xed\x00\x05" \
"id:944200,\
phase:2,\
block,\
msg:'Magic bytes Detected, probable java serialization in use',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
"id:944210,\
phase:2,\
block,\
msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
"id:944240,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\b.+(?:runtime|processbuilder)" \
"id:944250,\
phase:2,\
block,\
t:lowercase,\
msg:'Remote Command Execution: Suspicious Java method detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \
"id:944260,\
phase:2,\
block,\
t:urlDecodeUni,\
msg:'Remote Command Execution: Malicious class-loading payload',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
# Interesting keywords for possibly RCE on vulnerable classes and methods base64 encoded
# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
#for item in keywords:
# pad='\x00'
# for padding in xrange(3):
# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:],
#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
"id:944300,\
phase:2,\
block,\
t:none,\
msg:'Base64 encoded string matched suspicious keyword',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/248',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
# This is a stricter sibling of 944150.
# It simply checks for the existence of `${`, taking into account the same encoding evasions
# as 944150.
#
# Regular expression generated from regex-assembly/944152.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 944152
#
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|&dollar;?)(?:\{|&l(?:brace|cub);?)" \
"id:944152,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\
log,\
msg:'Potential Remote Command Execution: Log4j / Log4shell',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/ATTACK-JAVA',\
tag:'capec/1000/152/137/6',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"

270
nginx/modsec/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf Normal file
View File

@ -0,0 +1,270 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Summing up the blocking and detection anomaly scores in phase 1
# even when early blocking is disabled, we need to sum up the scores in phase 1
# this prevents bugs in phase 5 if Apache skips phases because of error handling
# See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
"id:949052,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:949152,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
"id:949053,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:949153,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
"id:949054,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:949154,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
"id:949055,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:949155,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
# at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
# this is necessary because the per-PL scores are counted across phases
SecAction \
"id:949059,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=0'"
SecAction \
"id:949159,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=0'"
# Summing up the blocking and detection anomaly scores in phase 2
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
"id:949060,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:949160,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
"id:949061,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:949161,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
"id:949062,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:949162,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
"id:949063,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:949163,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecMarker "BEGIN-REQUEST-BLOCKING-EVAL"
#
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
#
# if early blocking is active, check threshold in phase 1
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949111,\
phase:1,\
deny,\
t:none,\
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
# always check threshold in phase 2
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"

99
nginx/modsec/owasp-crs/rules/REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf Normal file
View File

@ -0,0 +1,99 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# This file is used as an exception mechanism to remove common false positives
# that may be encountered. This file does not contain any runtime rule-exclusions
# and so it must loaded after all the request rules have been created.
# To have a standard order, please:
#
# 1. Keep all the exceptions that target the same cookie (or cookie regexp together)
# 2. Order them by rule id.
# 3. Add a blank line when the cookie/cookie regexp changes, so it shows visually
# Google Analytics Cookies
# Matches:
# _ga
# _ga_5WLQM4K1ZX
SecRuleUpdateTargetById 932240 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/"
SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/"
SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/"
SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/"
# Google Ads Cookie
SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:__gads"
SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:__gads"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:__gads"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:__gads"
SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:__gads"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:__gpi"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:__gpi"
# Google Funding Choices cookie
SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942490 "!REQUEST_COOKIES:FCCDCF"
SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:FCCDCF"
# Security cookie for Google Ads
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:__eoi"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:__eoi"
# Google Analytics Funding Choices cookie
SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:FCNEC"
SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:FCNEC"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:FCNEC"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:FCNEC"
# Prebid.js share cookie
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:sharedid"
# Microsoft Clarity tracking cookie
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:_clsk"
# Microsoft Clarity marketing cookie
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:_clck"
# AWS Load balancer cookie
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:_awl"
# Prebid.js Cookie
# Matches:
# pbjs-id5id
SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942200 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942490 "!REQUEST_COOKIES:/^pbjs-\w+$/"
SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:/^pbjs-\w+$/"
# Matomo Referer Cookie
SecRuleUpdateTargetById 941320 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 941330 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 941340 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942380 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942390 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942400 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942410 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942440 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942450 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942470 "!REQUEST_COOKIES:/^_pk_ref/"
SecRuleUpdateTargetById 942480 "!REQUEST_COOKIES:/^_pk_ref/"

181
nginx/modsec/owasp-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf Normal file
View File

@ -0,0 +1,181 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# We reused paranoia level skip rules 950010, 950011, and 950018.
# These rule identifiers were in use in CRSv2, so we used different
# identifiers in CRSv3 to avoid conflicts (950020, 950021 and 950022).
# In CRSv4, for the sake of a consistent structure, we use these
# identifiers again, so that the skip rules of PL can be defined in the
# same way for all files.
# Rule id 950130 has been kept - this ID also was introduced at first
# rule to avoid the collision.
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if TX:crs_skip_response_analysis is set.
SecRule TX:crs_skip_response_analysis "@eq 1" \
"id:950021,\
phase:3,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:950010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Directory Listing ]=-
#
SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]</[Aa]><br>)" \
"id:950130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Directory Listing',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES',\
tag:'capec/1000/118/116/54/127',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# -=[ CGI Source Code Leakage ]=-
#
# A CGI script begins normally with #! and the interpreter,
# for example:
#
# #!/usr/bin/perl
# #!/usr/bin/python
# #!/usr/bin/ruby
#
# If the CGI script processors or MIME type handlers are misconfigured,
# the script's source code could be erroneously returned to the client.
SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
"id:950140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'CGI source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# -=[ ASP.NET Errors ]=-
#
SecRule RESPONSE_BODY "@pmFromFile asp-dotnet-errors.data" \
"id:950150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'ASP.NET exception leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-aspnet',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES',\
tag:'capec/1000/118/116/54/127',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ The application is not available - 5xx level status code ]=-
#
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
"id:950100,\
phase:3,\
block,\
capture,\
t:none,\
msg:'The Application Returned a 500-Level Status Code',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES',\
tag:'capec/1000/152',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-950-DATA-LEAKAGES"

435
nginx/modsec/owasp-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf Normal file
View File

@ -0,0 +1,435 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:951010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ SQL Error Leakages ]=-
#
# Ref: https://github.com/sqlmapproject/sqlmap
# Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps
#
SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
"id:951100,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-SQL-ERROR-MATCH-PL1"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"id:951110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Microsoft Access SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-msaccess',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951120.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951120
#
SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLException|Oracle(?: erro|[^\(\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})" \
"id:951120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Oracle SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-oracle',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"id:951130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'DB2 SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-db2',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"id:951140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'EMC SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-emc',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"id:951150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'firebird SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-firebird',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"id:951160,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Frontbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-frontbase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"id:951170,\
phase:4,\
block,\
capture,\
t:none,\
msg:'hsqldb SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-hsqldb',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"id:951180,\
phase:4,\
block,\
capture,\
t:none,\
msg:'informix SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-informix',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"id:951190,\
phase:4,\
block,\
capture,\
t:none,\
msg:'ingres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-ingres',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"id:951200,\
phase:4,\
block,\
capture,\
t:none,\
msg:'interbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-interbase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Warning.{1,10}maxdb[\(\)_a-z:]{1,26}:" \
"id:951210,\
phase:4,\
block,\
capture,\
t:none,\
msg:'maxDB SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-maxdb',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function '.{1,128}' expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
"id:951220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mssql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mssql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951230.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951230
#
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \
"id:951230,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mysql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mysql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951240.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951240
#
SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\(\) \[|org\.postgresql\.util\.PSQLException):|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \
"id:951240,\
phase:4,\
block,\
capture,\
t:none,\
msg:'postgres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-pgsql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"id:951250,\
phase:4,\
block,\
capture,\
t:none,\
msg:'sqlite SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sqlite',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message)" \
"id:951260,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Sybase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sybase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecMarker "END-SQL-ERROR-MATCH-PL1"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"

86
nginx/modsec/owasp-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf Normal file
View File

@ -0,0 +1,86 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:952010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Java Errors ]=-
#
# Ref: https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/error_pages.py
#
SecRule RESPONSE_BODY "@rx (?i)\b(?:java[\.a-z]+E(?:xception|rror)|(?:org|com)\.[\.a-z]+Exception|Exception in thread \"[^\"]*\"|at[\s\x0b]+(?:ja(?:vax?|karta)|org|com))\b" \
"id:952110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Java Errors',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"

160
nginx/modsec/owasp-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf Normal file
View File

@ -0,0 +1,160 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:953010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ PHP Error Message Leakage ]=-
#
SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
"id:953100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# -=[ PHP source code leakage ]=-
#
# Detect some common PHP keywords in output.
#
SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
"id:953110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
# Detect the presence of the PHP open tag "<? ", "<?= " or "<?php " in output.
#
# To prevent false positives (due to the short "<?" sequences), we also include,
# the space after it in an attempt to stop alerts in binary output.
# And we make it case insensitive.
#
SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
"id:953120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ PHP Error Message Leakage ]=-
#
# This is a stricter sibling of rule 953100.
# This stricter sibling checks for additional error messages which has a higher chance to appear in common language and uses regular
# expressions to reduce false positives where possible.
#
SecRule RESPONSE_BODY "@rx (?i)Empty string|F(?:ile size is|reeing memory)|Header (?:name )?\"|Invalid date|No active class|(?:Out of memor|cannot be empt)y|Pa(?:ir level|ssword is too long)|Re(?:ading file|starting!)|S(?:ession is not active|tatic function\b)|T(?:elling\.\.\.|he function\b)|(?:Unknown reas|invalid opti)on|e(?:mpty password|rror reading)" \
"id:953101,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-953-DATA-LEAKAGES-PHP"

178
nginx/modsec/owasp-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf Normal file
View File

@ -0,0 +1,178 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:954010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
# IIS default location
# This rule has a stricter sibling 954101, which also detects the path, but without the drive letter.
SecRule RESPONSE_BODY "@rx (?i)[a-z]:[\x5c/]inetpub\b" \
"id:954100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Disclosure of IIS install location',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error\.</h2>|cannot connect to the server: timed out)" \
"id:954110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Application Availability Error',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# IIS Errors leakage
#
SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
"id:954120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'IIS Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule RESPONSE_STATUS "!@rx ^404$" \
"id:954130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'IIS Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
"capture,\
t:none,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# This rule is a stricter sibling of rule 954100, which also detects the path but must start with a
# drive letter.
# IIS default location
SecRule RESPONSE_BODY "@rx (?i)[\x5c/]inetpub\b" \
"id:954101,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Disclosure of IIS install location',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"

607
nginx/modsec/owasp-crs/rules/RESPONSE-955-WEB-SHELLS.conf Normal file
View File

@ -0,0 +1,607 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:955010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
# For performance reasons, most of the shells are matched using this rule.
# This rule is intended for PHP web shells.
SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
"id:955100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP Web shell detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# r57 web shell
SecRule RESPONSE_BODY "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>" \
"id:955110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'r57 web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# WSO web shell
SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>" \
"id:955120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'WSO web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n)
SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>[^<]*<meta name='author' content='k4mpr3t'/>" \
"id:955130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'b4tm4n web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Mini Shell web shell
SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>[^D]*Developed By LameHacker" \
"id:955140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Mini Shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Ashiyane web shell
SecRule RESPONSE_BODY "@rx <title>\.:: [^~]*~ Ashiyane V [0-9.]+ ::\.</title>" \
"id:955150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Ashiyane web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Symlink_Sa web shell
SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
"id:955160,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Symlink_Sa web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# CasuS web shell
SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
"id:955170,\
phase:4,\
block,\
capture,\
t:none,\
msg:'CasuS web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# GRP WebShell
SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
"id:955180,\
phase:4,\
block,\
capture,\
t:none,\
msg:'GRP WebShell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# NGHshell web shell
SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
"id:955190,\
phase:4,\
block,\
capture,\
t:none,\
msg:'NGHshell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# SimAttacker web shell
SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \
"id:955200,\
phase:4,\
block,\
capture,\
t:none,\
msg:'SimAttacker web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum [^<]*<title>Web Shell</title>" \
"id:955210,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Unknown web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# lama's'hell web shell
SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
"id:955220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'lama\'s\'hell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# lostDC web shell
SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
"id:955230,\
phase:4,\
block,\
capture,\
t:none,\
msg:'lostDC web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n <!-- Replaces command with Base64-encoded Data -->" \
"id:955240,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Unknown web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" \
"id:955250,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Unknown web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Ru24PostWebShell web shell
# Removed '- ' from the end of the pattern so this file won't get detected as
# malware by Windows Defender.
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
"id:955260,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Ru24PostWebShell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# s72 Shell web shell
SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" \
"id:955270,\
phase:4,\
block,\
capture,\
t:none,\
msg:'s72 Shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# PhpSpy web shell
SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>PhpSpy Ver [0-9]+</title>" \
"id:955280,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PhpSpy web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# g00nshell web shell
SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
"id:955290,\
phase:4,\
block,\
capture,\
t:none,\
msg:'g00nshell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# PuNkHoLic shell web shell
# Various versions has this text written little differently so we need to do
# t:removeWhitespace and t:lowercase.
SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
"id:955300,\
phase:4,\
block,\
capture,\
t:none,t:removeWhitespace,t:lowercase,\
msg:'PuNkHoLic shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# azrail web shell
SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-9.]+ by C-W-M</title>" \
"id:955310,\
phase:4,\
block,\
capture,\
t:none,\
msg:'azrail web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# SmEvK_PaThAn Shell web shell
SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
"id:955320,\
phase:4,\
block,\
capture,\
t:none,\
msg:'SmEvK_PaThAn Shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Shell I web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<title>[^~]*~ Shell I</title>\n<head>\n<style>" \
"id:955330,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Shell I web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# b374k m1n1 web shell
SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" \
"id:955340,\
phase:4,\
block,\
capture,\
t:none,\
msg:'b374k m1n1 web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# This rule is intended for ASP web shells.
SecRule RESPONSE_BODY "@pmFromFile web-shells-asp.data" \
"id:955400,\
phase:4,\
block,\
capture,\
t:none,\
msg:'ASP Web shell detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# webadmin.php file manager
# This is placed in PL2 because of too generic pattern.
SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" \
"id:955350,\
phase:4,\
block,\
capture,\
t:none,\
msg:'webadmin.php file manager',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB-SHELLS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-955-WEB-SHELLS"

105
nginx/modsec/owasp-crs/rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf Normal file
View File

@ -0,0 +1,105 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:956010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-RUBY',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:956011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:956012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ RUBY Error Message Leakage ]=-
#
SecRule RESPONSE_BODY "@pmFromFile ruby-errors.data" \
"id:956100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'RUBY Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-ruby',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-RUBY',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:956013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:956014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
# Detect the presence of the Ruby ERB templates "<%", "<%= " and slim interpolation "#{}" in output.
#
# To prevent false positives (due to the short "<%" sequences), we also check for [#=\s] after an opening tag.
#
# This rule is placed at PL-2 since it also matches common templating format with various JavaScript templating engines.
#
SecRule RESPONSE_BODY "@rx (?i)(?:<%[=#\s]|#\{[^}]+\})" \
"id:956110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Ruby source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-ruby',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-RUBY',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:956015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:956016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:956017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:956018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-956-DATA-LEAKAGES-RUBY"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-956-DATA-LEAKAGES-RUBY"

280
nginx/modsec/owasp-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf Normal file
View File

@ -0,0 +1,280 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "@gt 20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
# You should also set the desired disruptive action (deny, redirect, etc...).
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Summing up the blocking and detection anomaly scores in phase 3
# even when early blocking is disabled, we need to sum up the scores in phase 3
# this prevents bugs in phase 5 if Apache skips phases because of error handling
# See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
"id:959052,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:959152,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
"id:959053,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:959153,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
"id:959054,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:959154,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
"id:959055,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:959155,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
# this is necessary because the per-PL scores are counted across phases
SecAction \
"id:959059,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=0'"
SecAction \
"id:959159,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=0'"
SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
# Summing up the blocking and detection anomaly scores in phase 4
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
"id:959060,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:959160,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
"id:959061,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:959161,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
"id:959062,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:959162,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
"id:959063,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:959163,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
#
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
#
# if early blocking is active, check threshold in phase 3
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:959101,\
phase:3,\
deny,\
t:none,\
msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
# always check threshold in phase 4
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:959100,\
phase:4,\
deny,\
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"

138
nginx/modsec/owasp-crs/rules/RESPONSE-980-CORRELATION.conf Normal file
View File

@ -0,0 +1,138 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase). Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Combine inbound and outbound scores
SecAction \
"id:980099,\
phase:5,\
pass,\
t:none,\
nolog,\
noauditlog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev',\
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score}',\
setvar:'tx.anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}'"
#
# -=[ Anomaly Score Reporting ]=-
#
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
# At this point, the reporting level is 4 and there's a non-zero detection
# score (already established by rule 980043) so fall through to the reporting
# rule.
# Requests that land on the following SecMarker:
# - At reporting level 5 (unconditional reporting)
# - At reporting levels 1-4 when a blocking score exceeds a threshold
# - At reporting levels 2-4 when a detection score exceeds a threshold
# - At reporting levels 3-4 when the total blocking score is greater than zero
# - At reporting level 4 when the total detection score is greater than zero
SecMarker "LOG-REPORTING"
# Inbound and outbound - all requests
SecAction \
"id:980170,\
phase:5,\
pass,\
t:none,\
noauditlog,\
msg:'Anomaly Scores: \
(Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - \
(Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
tag:'reporting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.24.0-dev'"
SecMarker "END-REPORTING"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-980-CORRELATION"

76
nginx/modsec/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example Normal file
View File

@ -0,0 +1,76 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site.
# The types of rules that would go into this file are one where you want
# to unconditionally disable rules or modify their actions during startup.
#
# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
# for a description of the rule exclusions mechanism and the correct
# use of this file.
#
#
# Example Exclusion Rule: To unconditionally disable a rule ID
#
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
# SecRuleRemoveById 942100
# Example Exclusion Rule: Remove a group of rules
#
# ModSecurity Rule Exclusion: Disable PHP injection rules
# SecRuleRemoveByTag "attack-injection-php"
#
# Example Exclusion Rule: To unconditionally remove parameter "foo" from
# inspection for SQLi rules
#
# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
#
# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
# against your policy. To apply a disruptive action, they overwrite the default
# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
# This 'deny' is by default paired with a 'status:403' action.
#
# In order to change the disruptive action from 'deny' to something else,
# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
#
# These actions only apply when using Anomaly Mode.
#
# Default action: block with error 403
# (No configuration needed in this file if you want the default behavior.)
#
# Example: redirect back to the homepage on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
# Example: redirect to another URL on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
# Example: send an error 404
#
# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
# Example: drop the connection (best for DoS attacks)
#
# SecRuleUpdateActionById 949110 "t:none,drop"
# SecRuleUpdateActionById 959100 "t:none,drop"

95
nginx/modsec/owasp-crs/rules/asp-dotnet-errors.data Normal file
View File

@ -0,0 +1,95 @@
# This file contains a list of common errors and exceptions encountered in ASP.NET applications.
#
### Core .NET Exceptions
# - System.Exception Types: https://learn.microsoft.com/en-us/dotnet/api/system.exception?view=netframework-4.8#derived
# - System Namespace: https://learn.microsoft.com/en-us/dotnet/api/system?view=netframework-4.8
#
### ASP.NET Specific Errors
# - ASP.NET Error Handling: https://learn.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/aspnet-ajax/understanding-asp-net-ajax-debugging-capabilities
# - HttpException Class: https://learn.microsoft.com/en-us/dotnet/api/system.web.httpexception?view=netframework-4.8
#
### MVC Errors
# - System.Web.Mvc Namespace: https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc?view=aspnet-mvc-5.2
# - ASP.NET MVC Error Handling: https://learn.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/controllers-and-routing/handling-errors
#
### Entity Framework Errors
# - System.Data.Entity.Core.EntityException: https://learn.microsoft.com/en-us/dotnet/api/system.data.entity.core.entityexception?view=entity-framework-6.2.0
# - Entity Framework Exception Types: https://learn.microsoft.com/en-us/dotnet/api/system.data.entity.infrastructure?view=entity-framework-6.2.0
#
### Identity and Authentication Errors
# - Microsoft.AspNet.Identity Namespace: https://learn.microsoft.com/en-us/previous-versions/aspnet/dn613291(v=vs.108)
# - Microsoft.Owin.Security Namespace: https://learn.microsoft.com/en-us/previous-versions/dn308572(v=owin.2.0)
#
### Web API Errors
# - System.Web.Http Namespace: https://learn.microsoft.com/en-us/dotnet/api/system.web.http?view=aspnetwebapi-5.2
# - Exception Handling in ASP.NET Web API: https://learn.microsoft.com/en-us/aspnet/web-api/overview/error-handling/exception-handling
#
# Core .NET Exceptions
System.NullReferenceException
System.ArgumentException
System.InvalidOperationException
System.IndexOutOfRangeException
System.IO.IOException
System.Net.WebException
System.OutOfMemoryException
System.StackOverflowException
System.FormatException
System.DivideByZeroException
System.ArgumentNullException
System.ArgumentOutOfRangeException
System.NotImplementedException
System.NotSupportedException
System.Data.SqlClient.SqlException
System.UnauthorizedAccessException
System.Security.SecurityException
System.Web.HttpException
# ASP.NET Specific Errors
HttpException
ViewStateException
HttpRequestValidationException
HttpCompileException
HttpParseException
HttpUnhandledException
HttpRequestWrapper
HttpResponseWrapper
HttpServerUtilityWrapper
HttpSessionStateWrapper
HttpStaticObjectsCollectionWrapper
# MVC Errors
System.Web.Mvc.HttpAntiForgeryException
System.Web.Mvc.Controller
System.Web.Mvc.ActionResult
System.Web.Mvc.ViewResult
System.Web.Mvc.RedirectResult
System.Web.Mvc.RedirectToRouteResult
System.Web.Mvc.JsonResult
System.Web.Mvc.ContentResult
System.Web.Mvc.HttpStatusCodeResult
System.Web.Mvc.FileResult
System.Web.Mvc.View
System.Web.Mvc.PartialViewResult
# Entity Framework Errors
System.Data.Entity.Core.EntityException
System.Data.Entity.Infrastructure.DbUpdateException
System.Data.Entity.Validation.DbEntityValidationException
System.Data.Entity.Core.OptimisticConcurrencyException
System.Data.Entity.Infrastructure.DbUpdateConcurrencyException
# Identity and Authentication Errors
Microsoft.AspNet.Identity.IdentityResult
Microsoft.AspNet.Identity.UserManager
Microsoft.AspNet.Identity.SignInManager
Microsoft.AspNet.Identity.RoleManager
Microsoft.AspNet.Identity.Owin
Microsoft.Owin.Security
Microsoft.Owin.Security.DataProtection
# Web API Errors
System.Web.Http.HttpResponseException
System.Web.Http.HttpRequestException
System.Web.Http.HttpError
System.Web.Http.HttpRouteCollection

59
nginx/modsec/owasp-crs/rules/iis-errors.data Normal file
View File

@ -0,0 +1,59 @@
# This list comes from the default IIS error pages
# To renerate get the files from a default installation and use:
# grep -h '<title' *.htm
<title>401.1 - Unauthorized: Access is denied due to invalid credentials.</title>
<title>401.2 - Unauthorized: Access is denied due to server configuration.</title>
<title>401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.</title>
<title>401.4 - Unauthorized: Authorization failed by filter installed on the Web server.</title>
<title>401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.</title>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<title>403.1 - Forbidden: Execute access is denied.</title>
<title>403.10 - Forbidden: Web server is configured to deny Execute access.</title>
<title>403.11 - Forbidden: Password has been changed.</title>
<title>403.12 - Forbidden: Client certificate is denied access by the server certificate mapper.</title>
<title>403.13 - Forbidden: Client certificate has been revoked on the Web server.</title>
<title>403.14 - Forbidden: Directory listing denied.</title>
<title>403.15 - Forbidden: Client access licenses have exceeded limits on the Web server.</title>
<title>403.16 - Forbidden: Client certificate is ill-formed or is not trusted by the Web server.</title>
<title>403.17 - Forbidden: Client certificate has expired or is not yet valid.</title>
<title>403.18 - Forbidden: Cannot execute requested URL in the current application pool.</title>
<title>403.19 - Forbidden: Cannot execute CGIs for the client in this application pool.</title>
<title>403.2 - Forbidden: Read access is denied.</title>
<title>403.3 - Forbidden: Write access is denied.</title>
<title>403.4 - Forbidden: SSL is required to view this resource.</title>
<title>403.5 - Forbidden: SSL 128 is required to view this resource.</title>
<title>403.6 - Forbidden: IP address of the client has been rejected.</title>
<title>403.7 - Forbidden: SSL client certificate is required.</title>
<title>403.8 - Forbidden: DNS name of the client is rejected.</title>
<title>403.9 - Forbidden: Too many clients are trying to connect to the Web server.</title>
<title>403 - Forbidden: Access is denied.</title>
<title>404.1 - File or directory not found: Web site not accessible on the requested port.</title>
<title>404.11 - URL is double-escaped.</title>
<title>404.12 - URL has high bit characters.</title>
<title>404.14 - URL too long.</title>
<title>404.15 - Query-String too long.</title>
<title>404.2 - File or directory not found: Lockdown policy prevents this request.</title>
<title>404.3 - File or directory not found: MIME map policy prevents this request.</title>
<title>404.4 - File or directory not found: No module handler is registered to handle the request.</title>
<title>404.5 - URL sequence denied.</title>
<title>404.6 - HTTP verb denied.</title>
<title>404.7 - File extension denied.</title>
<title>404.8 - URL namespace hidden.</title>
<title>404.9 - File attribute hidden.</title>
<title>404 - File or directory not found.</title>
<title>405 - HTTP verb used to access this page is not allowed.</title>
<title>406 - Client browser does not accept the MIME type of the requested page.</title>
<title>412 - Precondition set by the client failed when evaluated on the Web server.</title>
<title>413.1 - Content-Length too large.</title>
<title>431 - Request header too long.</title>
<title>500.13 - Server error: Web server is too busy.</title>
<title>500.14 - Server error: Invalid application configuration on the server.</title>
<title>500.15 - Server error: Direct requests for GLOBAL.ASA are not allowed.</title>
<title>500.16 - Server error: UNC authorization credentials incorrect.</title>
<title>500.17 - Server error: URL authorization store cannot be found.</title>
<title>500.18 - Server error: URL authorization store cannot be opened.</title>
<title>500.19 - Server error: Data for this file is configured improperly.</title>
<title>500 - Internal server error.</title>
<title>501 - Header values specify a method that is not implemented.</title>
<title>502 - Web server received an invalid response while acting as a gateway or proxy server.</title>

82
nginx/modsec/owasp-crs/rules/java-classes.data Normal file
View File

@ -0,0 +1,82 @@
# Java Classes for use with Java RCEs
#
# Used With Rule 944130 in Apache Struts and Oracle Weblogic RCEs Detection:
#
# CVE-2017-5638 (2017.01.29) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
# CVE-2017-9791 (2017.06.21) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791
# CVE-2017-9805 (2017.06.21) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
# CVE-2017-10271 (2017.06.21) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271
# CVE-2018-11776 (2018.06.05) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
# CVE-2021-44228 (2021.11.26) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
#
# Additional Resources
# Apache S2-057 (2019.01.20) https://cwiki.apache.org/confluence/display/WW/S2-057
com.opensymphony.xwork2
com.sun.org.apache
classLoader
declaredClass
freemarker.core
freemarker.template
freemarker.ext.rhino
java.io.BufferedInputStream
java.io.BufferedReader
java.io.ByteArrayInputStream
java.io.ByteArrayOutputStream
java.io.CharArrayReader
java.io.DataInputStream
java.io.File
java.io.FileOutputStream
java.io.FilePermission
java.io.FileWriter
java.io.FilterInputStream
java.io.FilterOutputStream
java.io.FilterReader
java.io.InputStream
java.io.IOException
java.io.LineNumberReader
java.io.ObjectInputStream
java.io.ObjectOutputStream
java.io.OutputStream
java.io.PipedOutputStream
java.io.PipedReader
java.io.PrintStream
java.io.PushbackInputStream
java.io.Reader
java.io.StringReader
java.lang.Class
java.lang.Enum
java.lang.Integer
java.lang.Number
java.lang.Object
java.lang.Process
java.lang.ProcessBuilder
java.lang.reflect
java.lang.Runtime
java.lang.String
java.lang.System
java.net.HttpURLConnection
java.net.JarURLConnection
java.net.DatagramSocket
java.net.MulticastSocket
java.net.ServerSocket
java.net.Socket
java.net.URL
javassist
javax.naming.InitialContext
javax.script.ScriptEngineManager
javax.xml.parsers
javax.xml.stream
OgnlContext
OgnlUtil
org.apache.commons
org.apache.struts
org.apache.struts2
org.dom4j.io.SAXReader
org.jdom2.input.SAXBuilder
org.omg.CORBA
org.xml.sax
PropertyUtilsBean
java.beans.XMLDecode
java.nio.file
sun.reflect

1017
nginx/modsec/owasp-crs/rules/lfi-os-files.data Normal file
View File

File diff suppressed because it is too large Load Diff

2127
nginx/modsec/owasp-crs/rules/php-errors.data Normal file
View File

File diff suppressed because it is too large Load Diff

235
nginx/modsec/owasp-crs/rules/php-function-names-933150.data Normal file
View File

@ -0,0 +1,235 @@
##! File autogenerated by util/php-dictionary-gen with: -a 30 -F 90000 -s ../fp-finder/spell.sh
array_diff_uassoc
array_diff_ukey
array_filter
array_intersect_uassoc
array_intersect_ukey
array_key_exists
array_map
array_push
array_reduce
array_shift
array_udiff
array_udiff_assoc
array_udiff_uassoc
array_uintersect
array_uintersect_assoc
array_uintersect_uassoc
array_values
base64_decode
base64_encode
bson_decode
bson_encode
bzdecompress
bzopen
call_user_func
class_exists
convert_uuencode
curl_exec
curl_file_create
curl_init
debug_backtrace
dirname
error_reporting
escapeshellarg
escapeshellcmd
exif_imagetype
exif_read_data
exif_tagname
exif_thumbnail
fclose
file_exists
file_get_contents
finfo_open
fsockopen
ftp_connect
ftp_get
ftp_nb_get
ftp_nb_put
ftp_put
function_exists
fwrite
get_cfg_var
get_class
get_class_methods
get_class_vars
get_current_user
get_defined_constants
get_defined_functions
get_defined_vars
get_meta_tags
getcwd
getenv
getimagesize
getlastmod
getmygid
getmyinode
getmypid
getmyuid
gzcompress
gzdecode
gzdeflate
gzencode
gzfile
gzinflate
gzopen
gzread
gzuncompress
gzwrite
hash_file
hash_hmac_file
hash_update_file
header_register_callback
hex2bin
highlight_file
html_entity_decode
htmlentities
htmlspecialchars
htmlspecialchars_decode
image2wbmp
imagecreatefromgif
imagecreatefromjpeg
imagecreatefrompng
imagecreatefromwbmp
imagecreatefromxbm
imagecreatefromxpm
imagegd
imagegd2
ini_get
ini_get_all
ini_set
iptcembed
is_array
is_dir
is_executable
is_file
is_int
is_null
is_numeric
is_object
is_readable
is_writable
is_writeable
iterator_apply
json_decode
json_encode
mb_ereg
mb_ereg_match
mb_ereg_replace
mb_ereg_replace_callback
mb_eregi
mb_eregi_replace
mb_parse_str
md5_file
method_exists
move_uploaded_file
mysql_query
number_format
ob_clean
ob_end_clean
ob_end_flush
ob_flush
ob_get_clean
ob_get_contents
ob_get_flush
ob_start
odbc_connect
odbc_exec
odbc_execute
odbc_result
odbc_result_all
parse_ini_file
parse_str
parse_url
pfsockopen
pg_connect
pg_execute
pg_prepare
pg_query
php_strip_whitespace
php_uname
phpversion
posix_getegid
posix_geteuid
posix_getgid
posix_getlogin
posix_getpwnam
posix_getpwuid
posix_kill
posix_mkfifo
posix_mknod
posix_ttyname
preg_match
preg_match_all
preg_replace
preg_replace_callback
preg_replace_callback_array
preg_split
print_r
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
putenv
rawurldecode
rawurlencode
read_exif_data
readdir
readgzfile
register_shutdown_function
register_tick_function
rename_function
runkit_constant_add
runkit_constant_redefine
runkit_function_add
runkit_function_copy
runkit_function_redefine
runkit_function_rename
runkit_method_add
runkit_method_copy
runkit_method_redefine
runkit_method_rename
session_set_save_handler
session_start
set_error_handler
set_exception_handler
set_include_path
set_magic_quotes_runtime
setdefaultstub
settype
sha1_file
shell_exec
show_source
simplexml_load_file
simplexml_load_string
socket_connect
socket_create
spl_autoload_register
sqlite_array_query
sqlite_create_aggregate
sqlite_create_function
sqlite_exec
sqlite_open
sqlite_popen
sqlite_query
sqlite_single_query
sqlite_unbuffered_query
str_replace
stream_context_create
stream_socket_client
stripcslashes
stripslashes
strlen
strpos
strrev
strtolower
strtotime
strtoupper
uasort
ucfirst
uksort
urldecode
urlencode
var_dump
zlib_decode

30
nginx/modsec/owasp-crs/rules/php-variables.data Normal file
View File

@ -0,0 +1,30 @@
# The data in this list comes from
# https://www.php.net/manual/en/reserved.variables.php
# https://www.php.net/manual/en/language.variables.superglobals.php
# https://www.php.net/manual/en/language.constants.predefined.php
# These superglobal variables are:
$GLOBALS
$_COOKIE
$_ENV
$_FILES
$_GET
$_POST
$_REQUEST
$_SERVER
$_SESSION
$argc
$argv
$http_response_header
# Deprecated
$php_errormsg
# This is really old, completely deprecated vars (PHP >= 4 < 5.3)
$HTTP_COOKIE_VARS
$HTTP_ENV_VARS
$HTTP_GET_VARS
$HTTP_POST_FILES
$HTTP_POST_VARS
$HTTP_RAW_POST_DATA
$HTTP_REQUEST_VARS
$HTTP_SERVER_VARS

581
nginx/modsec/owasp-crs/rules/restricted-files.data Normal file
View File

@ -0,0 +1,581 @@
# Apache
# (no slash; also guards against old.htaccess, old.htpasswd, etc.)
.htaccess
.htdigest
.htpasswd
# home level dotfiles (keep in sync with lfi-os-files.data).
# Also include commented values (e.g., `# .env`), but not comments.
# grep -E "^(#\s*)?\.\S+$" lfi-os-files.data | sed 's/^#\s*//'
.access/
.addressbook
.anydesk/
.aptitude/config
.atom/
.aws/
.azure/
.bash_
.bashrc
.boto
.cache/
.cache/notify-osd.log
.cargo/
.config.local.php
.config/
.coverage
.coveralls.yml
.credentials
.cshrc
.cups/
.cvs
.dbus/
.deployment-secrets.txt
.docker/
.dockerignore
.drush/
.env
.envrc
.eslintignore
.fbcindex
.forward
.ftpconfig
.gem/
.git/
.gitattributes
.gitconfig
.gitignore
.gitkeep
.gitmodules
.gnome/
.gnome2/
.gnomerc/
.gnupg/
.google_authenticator
.gsutil/
.hg/
.hgignore
.history
.hplip/hplip.conf
.htaccess
.htdigest
.htpasswd
.ipynb_checkpoints/
.java/
.ksh_history
.kube/
.lesshst
.lftp/
.lhistory
.lighttpdpassword
.lldb-history
.local/bin/
.local/lib/
.local/share/
.local/state/
.lynx_cookies
.minikube/
.msmtprc
.my.cnf
.myscmserverinfo
.mysql_history
.nano_history
.netrc
.node_repl_history
.npm/
.npmrc
.nsconfig
.nsr
.nvm/
.oh-my-
.pac
.pass
.passwd
.password-store
.pearrc
.pgpass
.php_history
.pinerc
.pki/
.proclog
.procmailrc
.profile
.psql_history
.pwd
.pytest_cache/
.python_history
.rediscli_history
.remote-sync.json
.rhistory
.rhosts
.rustup
.s3cfg
.secrets
.selected_editor
.settings/
.sh_history
.snap/
.sqlite_history
.ssh/
.subversion/
.svn/
.svnignore
.tconn/
.tcshrc
.terraform.lock.hcl
.terraform/
.thunderbird/
.tmux.conf
.tools/
.tor/
.travis.yaml
.travis.yml
.vagrant.d/
.vidalia/
.vim/
.viminfo
.vimrc
.vmware/
.vscode
.web.config.swp
.wget-hsts
.www_acl
.wwwacl
.xauthority
.yarnrc
.zhistory
.zsh_history
.zshenv
.zshrc
# Generic config filenames and common permutations
config.asp
config_dev.asp
config-dev.asp
config.dev.asp
config_prod.asp
config-prod.asp
config.prod.asp
config.sample.asp
config-sample.asp
config_sample.asp
config_test.asp
config-test.asp
config.test.asp
config.ini
config_dev.ini
config-dev.ini
config.dev.ini
config_prod.ini
config-prod.ini
config.prod.ini
config.sample.ini
config-sample.ini
config_sample.ini
config_test.ini
config-test.ini
config.test.ini
config.json
config_dev.json
config-dev.json
config.dev.json
config_prod.json
config-prod.json
config.prod.json
config.sample.json
config-sample.json
config_sample.json
config_test.json
config-test.json
config.test.json
config.php
config_dev.php
config-dev.php
config.dev.php
config_prod.php
config-prod.php
config.prod.php
config.sample.php
config-sample.php
config_sample.php
config_test.php
config-test.php
config.test.php
config.pl
config_dev.pl
config-dev.pl
config.dev.pl
config_prod.pl
config-prod.pl
config.prod.pl
config.sample.pl
config-sample.pl
config_sample.pl
config_test.pl
config-test.pl
config.test.pl
config.py
config_dev.py
config-dev.py
config.dev.py
config_prod.py
config-prod.py
config.prod.py
config.sample.py
config-sample.py
config_sample.py
config_test.py
config-test.py
config.test.py
config.rb
config_dev.rb
config-dev.rb
config.dev.rb
config_prod.rb
config-prod.rb
config.prod.rb
config.sample.rb
config-sample.rb
config_sample.rb
config_test.rb
config-test.rb
config.test.rb
config.toml
config_dev.toml
config-dev.toml
config.dev.toml
config_prod.toml
config-prod.toml
config.prod.toml
config.sample.toml
config-sample.toml
config_sample.toml
config_test.toml
config-test.toml
config.test.toml
config.txt
config_dev.txt
config-dev.txt
config.dev.txt
config_prod.txt
config-prod.txt
config.prod.txt
config.sample.txt
config-sample.txt
config_sample.txt
config_test.txt
config-test.txt
config.test.txt
config.xml
config_dev.xml
config-dev.xml
config.dev.xml
config_prod.xml
config-prod.xml
config.prod.xml
config.sample.xml
config-sample.xml
config_sample.xml
config_test.xml
config-test.xml
config.test.xml
config.yaml
config_dev.yaml
config-dev.yaml
config.dev.yaml
config_prod.yaml
config-prod.yaml
config.prod.yaml
config.sample.yaml
config-sample.yaml
config_sample.yaml
config_test.yaml
config-test.yaml
config.test.yaml
config.yml
config_dev.yml
config-dev.yml
config.dev.yml
config_prod.yml
config-prod.yml
config.prod.yml
config.sample.yml
config-sample.yml
config_sample.yml
config_test.yml
config-test.yml
config.test.yml
config.sample.inc.php
credentials.json
secrets.json
secrets.yaml
secrets.yml
# Compressed database dumps
.sql.001
.sql.7z
.sql.bz
.sql.ace
.sql.arj
.sql.cpio
.sql.gz
.sql.lha
.sql.lz
.sql.pa
.sql.pea
.sql.r00
.sql.r01
.sql.r02
.sql.r03
.sql.r04
.sql.r05
.sql.r06
.sql.r07
.sql.r08
.sql.r09
.sql.rar
.sql.rev
.sql.tar
.sql.taz
.sql.tbz
.sql.tgz
.sql.txz
.sql.uha
.sql.xz
.sql.yz1
.sql.z
# GitLab Omnibus
gitlab.rb
gitlab_config_
initial_root_password
# AWS cli
aws.yaml
aws.yml
aws-key.yaml
aws-key.yml
# October CMS credentials file
/auth.json
# Wordpress
/debug.log
/error.log
/errors.log
wp-config.
wp-config-
wp-config_
# Symfony
/config/parameters.yml
/config/routing.yml
/config/security.yml
/config/services.yml
# Drupal
/sites/default/default.settings.php
/sites/default/settings.php
/sites/default/settings.local.php
# PrestaShop configuration files
/config/settings.inc.php
/app/config/parameters.php
# Magento
/app/etc/env.php
/app/etc/local.xml
# ASP.NET
/Web.config
# Node
/package.json
/package-lock.json
/npm-shrinkwrap.json
/gruntfile.js
/npm-debug.log
/webpack.config.js
/yarn.lock
# Composer
/composer.json
/composer.lock
/packages.json
# OSX
/.DS_Store
# WS FTP
/.ws_ftp.ini
# New Per-Project Files
.idea
nbproject/
bower.json
.bowerrc
.eslintrc
.jshintrc
.gitlab-ci.yml
.travis.yml
database.yaml
database.yml
Dockerfile
# PHP_CodeSniffer configuration files
.php_cs.dist
.phpcs.xml
phpcs.xml
.phpcs.xml.dist
phpcs.xml.dist
# Windows desktop configuration file
Desktop.ini
# Windows Explorer cache of thumbnail images
Thumbs.db
# PHP configuration files
.user.ini
php.ini
# Oracle WebLogic Server configuration file
weblogic.xml
# Common names for local PHP error logs
php_error.log
php_errors.log
# Java directory for non-public application data
WEB-INF/
# Fortinet SSL VPN session file
sslvpn_websession
# BlockCypher log file used in code examples
BlockCypher.log
# Roundcube Webmail
config.inc.php
config.sample.php
defaults.inc.php
# Contains credentials for SendGrid service
sendgrid.env
# Fish shell files
.fish
fish_variables
# CVE-2023-5003
ldap-authentication-report.csv
# OpenStack-Ansible credentials file
user_secrets.yml
# File used by Visual Studio to store sensitive data
secrets.json
# Docker definition files, first two are commented out
# as they are matched by the rest of the files
#docker-compose.yml
#docker-compose.yaml
compose.yml
compose.yaml
# CVE-2023-49103
phpinfo.php
# Python cache
__pycache__/
# Windows system ini files
boot.ini
system.ini
win.ini
# NodeJS log file
pm2.log
# Generic log filename
debug.log
# Mysql/MariaDB config file
debian.cnf
my.cnf
mysql.cnf
mysqldump.cnf
# FTP config files
ftp-sync.json
# Yarn log files
yarn-debug.log
yarn-error.log
# Code coverage config file
coverage.xml
# /proc entries (keep in sync with lfi-os-files.data)
# grep -E "^proc/" lfi-os-files.data
proc/0
proc/1
proc/2
proc/3
proc/4
proc/5
proc/6
proc/7
proc/8
proc/9
proc/acpi
proc/asound
proc/bootconfig
proc/buddyinfo
proc/bus
proc/cgroups
proc/cmdline
proc/config.gz
proc/consoles
proc/cpuinfo
proc/crypto
proc/devices
proc/diskstats
proc/dma
proc/docker
proc/driver
proc/dynamic_debug
proc/execdomains
proc/fb
proc/filesystems
proc/fs
proc/interrupts
proc/iomem
proc/ioports
proc/ipmi
proc/irq
proc/kallsyms
proc/kcore
proc/key-users
proc/keys
proc/kmsg
proc/kpagecgroup
proc/kpagecount
proc/kpageflags
proc/latency_stats
proc/loadavg
proc/locks
proc/mdstat
proc/meminfo
proc/misc
proc/modules
proc/mounts
proc/mpt
proc/mtd
proc/mtrr
proc/net
proc/pagetypeinfo
proc/partitions
proc/pressure
proc/sched_debug
proc/schedstat
proc/scsi
proc/self
proc/slabinfo
proc/softirqs
proc/stat
proc/swaps
proc/sys
proc/sysrq-trigger
proc/sysvipc
proc/thread-self
proc/timer_list
proc/timer_stats
proc/tty
proc/uptime
proc/version
proc/version_signature
proc/vmallocinfo
proc/vmstat
proc/zoneinfo
/proc/
sftp.json
# /sys entries (keep in sync with lfi-os-files.data)
# grep -E "^sys/" lfi-os-files.data
sys/block
sys/bus
sys/class
sys/dev
sys/devices
sys/firmware
sys/fs
sys/hypervisor
sys/kernel
sys/module
sys/power
/sys/
# Vite.js development server endpoints (CVE-2025-30208)
# These endpoints allow arbitrary file system access and should never be exposed
/@fs/
/@id/

436
nginx/modsec/owasp-crs/rules/restricted-upload.data Normal file
View File

@ -0,0 +1,436 @@
# This list can be generated from restricted-files.data by running the following shell command:
# body_start=$(grep -n -E -m 1 '^[^#$]' rules/restricted-upload.data | cut -d: -f1)
# ed -s rules/restricted-upload.data <<EOF
# $((body_start)),\$d
# w
# q
# EOF
# wget -O english-extended.txt https://raw.githubusercontent.com/coreruleset/coreruleset/refs/tags/v4.0.0/util/fp-finder/english-extended.txt
# tmpfile="$(mktemp)"
# awk ' !/^#/ && NF {
# n = split($0, segments, "/");
# word = segments[n];
# if (length(word) > 3) print word
# }' rules/restricted-files.data | sort | uniq > "$tmpfile"
# crs-toolchain util fp-finder "$tmpfile" -e english-extended.txt >> rules/restricted-upload.data
# rm -f "$tmpfile" english-extended.txt
.DS_Store
.access/
.addressbook
.bash_
.bashrc
.boto
.bowerrc
.cache/
.config.local.php
.coverage
.coveralls.yml
.credentials
.cshrc
.cvs
.deployment-secrets.txt
.dockerignore
.env
.envrc
.eslintignore
.eslintrc
.fbcindex
.fish
.forward
.ftpconfig
.gitattributes
.gitconfig
.gitignore
.gitkeep
.gitlab-ci.yml
.gitmodules
.google_authenticator
.hgignore
.history
.htaccess
.htdigest
.htpasswd
.idea
.ipynb_checkpoints/
.jshintrc
.ksh_history
.lesshst
.lhistory
.lighttpdpassword
.lldb-history
.lynx_cookies
.msmtprc
.my.cnf
.myscmserverinfo
.mysql_history
.nano_history
.netrc
.node_repl_history
.npmrc
.nsconfig
.nsr
.oh-my-
.pac
.pass
.passwd
.password-store
.pearrc
.pgpass
.php_cs.dist
.php_history
.phpcs.xml
.phpcs.xml.dist
.pinerc
.proclog
.procmailrc
.profile
.psql_history
.pwd
.pytest_cache/
.python_history
.rediscli_history
.remote-sync.json
.rhistory
.rhosts
.s3cfg
.secrets
.selected_editor
.settings/
.sh_history
.sql.001
.sql.7z
.sql.ace
.sql.arj
.sql.bz
.sql.cpio
.sql.gz
.sql.lha
.sql.lz
.sql.pa
.sql.pea
.sql.r00
.sql.r01
.sql.r02
.sql.r03
.sql.r04
.sql.r05
.sql.r06
.sql.r07
.sql.r08
.sql.r09
.sql.rar
.sql.rev
.sql.tar
.sql.taz
.sql.tbz
.sql.tgz
.sql.txz
.sql.uha
.sql.xz
.sql.yz1
.sql.z
.sqlite_history
.svnignore
.tcshrc
.terraform.lock.hcl
.terraform/
.tmux.conf
.tools/
.travis.yaml
.travis.yml
.user.ini
.viminfo
.vimrc
.vscode
.web.config.swp
.wget-hsts
.ws_ftp.ini
.www_acl
.wwwacl
.xauthority
.yarnrc
.zhistory
.zsh_history
.zshenv
.zshrc
BlockCypher.log
__pycache__/
acpi
asound
auth.json
aws-key.yaml
aws-key.yml
aws.yaml
aws.yml
boot.ini
bootconfig
bower.json
buddyinfo
cgroups
cmdline
compose.yaml
compose.yml
composer.json
composer.lock
config-dev.asp
config-dev.ini
config-dev.json
config-dev.php
config-dev.pl
config-dev.py
config-dev.rb
config-dev.toml
config-dev.txt
config-dev.xml
config-dev.yaml
config-dev.yml
config-prod.asp
config-prod.ini
config-prod.json
config-prod.php
config-prod.pl
config-prod.py
config-prod.rb
config-prod.toml
config-prod.txt
config-prod.xml
config-prod.yaml
config-prod.yml
config-sample.asp
config-sample.ini
config-sample.json
config-sample.php
config-sample.pl
config-sample.py
config-sample.rb
config-sample.toml
config-sample.txt
config-sample.xml
config-sample.yaml
config-sample.yml
config-test.asp
config-test.ini
config-test.json
config-test.php
config-test.pl
config-test.py
config-test.rb
config-test.toml
config-test.txt
config-test.xml
config-test.yaml
config-test.yml
config.asp
config.dev.asp
config.dev.ini
config.dev.json
config.dev.php
config.dev.pl
config.dev.py
config.dev.rb
config.dev.toml
config.dev.txt
config.dev.xml
config.dev.yaml
config.dev.yml
config.gz
config.inc.php
config.ini
config.json
config.php
config.pl
config.prod.asp
config.prod.ini
config.prod.json
config.prod.php
config.prod.pl
config.prod.py
config.prod.rb
config.prod.toml
config.prod.txt
config.prod.xml
config.prod.yaml
config.prod.yml
config.py
config.rb
config.sample.asp
config.sample.inc.php
config.sample.ini
config.sample.json
config.sample.php
config.sample.pl
config.sample.py
config.sample.rb
config.sample.toml
config.sample.txt
config.sample.xml
config.sample.yaml
config.sample.yml
config.test.asp
config.test.ini
config.test.json
config.test.php
config.test.pl
config.test.py
config.test.rb
config.test.toml
config.test.txt
config.test.xml
config.test.yaml
config.test.yml
config.toml
config.txt
config.xml
config.yaml
config.yml
config_dev.asp
config_dev.ini
config_dev.json
config_dev.php
config_dev.pl
config_dev.py
config_dev.rb
config_dev.toml
config_dev.txt
config_dev.xml
config_dev.yaml
config_dev.yml
config_prod.asp
config_prod.ini
config_prod.json
config_prod.php
config_prod.pl
config_prod.py
config_prod.rb
config_prod.toml
config_prod.txt
config_prod.xml
config_prod.yaml
config_prod.yml
config_sample.asp
config_sample.ini
config_sample.json
config_sample.php
config_sample.pl
config_sample.py
config_sample.rb
config_sample.toml
config_sample.txt
config_sample.xml
config_sample.yaml
config_sample.yml
config_test.asp
config_test.ini
config_test.json
config_test.php
config_test.pl
config_test.py
config_test.rb
config_test.toml
config_test.txt
config_test.xml
config_test.yaml
config_test.yml
coverage.xml
cpuinfo
credentials.json
database.yaml
database.yml
debian.cnf
debug.log
default.settings.php
defaults.inc.php
Desktop.ini
diskstats
Dockerfile
dynamic_debug
env.php
execdomains
filesystems
fish_variables
ftp-sync.json
gitlab.rb
gitlab_config_
gruntfile.js
hplip.conf
hypervisor
initial_root_password
iomem
ioports
ipmi
kallsyms
kcore
key-users
kmsg
kpagecgroup
kpagecount
kpageflags
latency_stats
ldap-authentication-report.csv
loadavg
local.xml
mdstat
meminfo
mtrr
my.cnf
mysql.cnf
mysqldump.cnf
notify-osd.log
npm-debug.log
npm-shrinkwrap.json
package-lock.json
package.json
packages.json
pagetypeinfo
parameters.php
parameters.yml
php.ini
php_error.log
php_errors.log
phpcs.xml
phpcs.xml.dist
phpinfo.php
pm2.log
routing.yml
sched_debug
schedstat
scsi
secrets.json
secrets.yaml
secrets.yml
security.yml
sendgrid.env
services.yml
settings.inc.php
settings.local.php
settings.php
sftp.json
slabinfo
softirqs
sslvpn_websession
sysrq-trigger
system.ini
sysvipc
thread-self
Thumbs.db
timer_list
timer_stats
user_secrets.yml
version_signature
vmallocinfo
vmstat
Web.config
weblogic.xml
webpack.config.js
win.ini
wp-config-
wp-config.
wp-config_
yarn-debug.log
yarn-error.log
yarn.lock
zoneinfo

125
nginx/modsec/owasp-crs/rules/ruby-errors.data Normal file
View File

@ -0,0 +1,125 @@
#### Core Ruby Errors
ArgumentError:
ArgumentError (
IndexError:
IndexError (
LoadError:
LoadError (
LocalJumpError:
LocalJumpError (
NameError:
NameError (
NoMethodError:
NoMethodError (
NotImplementedError:
NotImplementedError (
RangeError:
RangeError (
RuntimeError:
RuntimeError (
ScriptError:
ScriptError (
SecurityError:
SecurityError (
StandardError:
StandardError (
SyntaxError:
SyntaxError (
SystemExit:
SystemExit (
TypeError:
TypeError (
ZeroDivisionError:
ZeroDivisionError (
#### Ruby on Rails Errors
ActionController::RoutingError
ActionController::InvalidAuthenticityToken
ActionController::ParameterMissing
ActionController::UnknownFormat
ActionController::BadRequest
ActionController::UrlGenerationError
ActionController::RedirectBackError
ActionController::InvalidCrossOriginRequest
ActiveRecord::RecordNotFound
ActiveRecord::RecordInvalid
ActiveRecord::StatementInvalid
ActiveRecord::RecordNotUnique
ActiveRecord::ConnectionTimeoutError
ActiveRecord::SerializationTypeMismatch
ActiveRecord::Deadlocked
ActiveRecord::SubclassNotFound
ActiveModel::ForbiddenAttributesError
ActiveSupport::MessageVerifier::InvalidSignature
ActiveSupport::DeprecationException
#### Database & ORM Errors (ActiveRecord, PostgreSQL, MySQL, SQLite)*
PG::ConnectionBad
PG::UndefinedTable
PG::UndefinedColumn
PG::SyntaxError
PG::UniqueViolation
PG::CheckViolation
PG::ForeignKeyViolation
PG::NotNullViolation
PG::InvalidTextRepresentation
PG::CharacterNotInRepertoire
Mysql2::Error
Mysql2::TimeoutError
SQLite3::BusyException
SQLite3::ConstraintException
#### Rack Middleware & Web Server Errors (Puma, Unicorn, Thin, WEBrick)
Rack::Timeout::RequestTimeoutException
Rack::Lint::LintError
Rack::QueryParser::ParameterTypeError
Puma::HttpParserError
Unicorn::ClientShutdown
Thin::ConnectionError
WEBrick::HTTPStatus::InternalServerError
#### JSON, Serialization, and Parsing Errors*
JSON::ParserError
JSON::GeneratorError
Oj::ParseError
Oj::GeneratorError
#### Network & HTTP Client Errors
SocketError
EOFError
OpenSSL::SSL::SSLError
Timeout::Error
Net::ReadTimeout
Net::OpenTimeout
Net::HTTPBadResponse
Net::HTTPHeaderSyntaxError
#### File Handling & System Errors
Errno::ENOENT
Errno::EACCES
Errno::ECONNREFUSED
Errno::ETIMEDOUT
Errno::EPIPE
Errno::EMFILE
SystemCallError
#### Authentication & Security Errors*
Devise::Unauthorized
JWT::DecodeError
JWT::ExpiredSignature
BCrypt::Errors::InvalidHash
#### Threading & Concurrency Errors
ThreadError
FiberError
Mutex::LockError
#### View Rendering Errors
ActionView::Template::Error
ActionView::MissingTemplate
ActionView::MissingPartial
ActionView::Template::Handlers::ERB::ERBError
ActionView::SyntaxErrorInTemplate
ActionView::Template::Handlers::Builder::TemplateError
ActionView::Helpers::NumberHelper::InvalidNumberError
ActionView::TemplateError

122
nginx/modsec/owasp-crs/rules/scanners-user-agents.data Normal file
View File

@ -0,0 +1,122 @@
# This file lists what we think the most widely used
# security scanners identifyable via their user agents.
#
# The list is curated by hand. Attempts to machine-generate
# a larger list leads to a lot of false positives and edge
# cases where certain scanners / bots are welcome in certain
# situations. We consider this a baseline of unwanted scanners.
# http://www.arachni-scanner.com/
arachni
betabot
bewica-security-scan
# Backup File Artifacts Checker
# https://github.com/mazen160/bfac
BFAC
# Commix
# https://github.com/commixproject/commix
commix
# Detectify website vulnerability scanner
# https://detectify.com/
Detectify
# hidden page scanner
# (deprecated) https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
dirbuster
fimap
# vuln scanner
# https://github.com/ffuf/ffuf
fuzz faster
# Scanner that looks for existing or hidden web objects
# https://github.com/OJ/gobuster
gobuster
# sql injection
havij
hexometer
jbrofuzz
jorgee
libwhisker
# port scanner
# https://github.com/robertdavidgraham/masscan
masscan
morfeus
# The Mysterious Mozlila User Agent bot
# https://trunc.org/learning/the-mozlila-user-agent-bot
Mozlila
# Typo of Mozilla/5.0 user-agent
Mozilla/5.g
# Nessus
# http://www.tenable.com/products/nessus-vulnerability-scanner
nessus
netlab360
netsparker
# vuln scanner
# https://cirt.net/Nikto2
nikto
nmap
# https://github.com/projectdiscovery/nuclei
nuclei
# http://www.openvas.org/
openvas
sitelockspider
# SQL Injections
# http://sqlmap.org/
sqlmap
# https://www.cyber.nj.gov/threat-profiles/trojan-variants/sysscan
sysscan
# https://github.com/google/tsunami-security-scanner
TsunamiSecurityScanner
w3af.org
# http://www.robotstxt.org/db/webbandit.html
webbandit
# (deprecated) http://www.scrt.ch/en/attack/downloads/webshag
webshag
# https://github.com/xmendez/wfuzz
wfuzz
whatweb
wprecon
# wordpress vuln scanner
# https://wpscan.org/
wpscan
# ZGrab scanner (Mozilla/5.0 zgrab/0.x)
# https://zmap.io
zgrab
zmeu

171
nginx/modsec/owasp-crs/rules/sql-errors.data Normal file
View File

@ -0,0 +1,171 @@
MySqlClient.
Server message
SQL error
Oracle error
JET Database Engine
Procedure or function
SQLite.Exception
[IBM][CLI Driver][DB2/6000]
the used select statements have different number of columns
org.postgresql.util.PSQLException
Access Database Engine
Incorrect syntax near
Syntax error in string in query expression
SQLiteException
' doesn't exist
CLI Driver
on MySQL result index
sybase
com.informix.jdbc
[MySQL][ODBC
Error
has occurred in the vicinity of:
Sintaxis incorrecta cerca de
MySQL server version for the right syntax to use
com.mysql.jdbc.exceptions
You have an error in your SQL syntax near
You have an error in your SQL syntax;
An illegal character has been found in the statement
pg_query() [:
supplied argument is not a valid MySQL
mssql_query()
mysql_fetch_array()
Exception
java.sql.SQLException
Column count doesn't match value count at row
Sybase message
SQL Server
PostgreSQL query failed:
Dynamic SQL Error
System.Data.SQLite.SQLiteException
SQLite/JDBCDriver
Unclosed quotation mark before the character string
System.Data.SqlClient.
Unclosed quotation mark after the character string
System.Data.OleDb.OleDbException
[DM_QUERY_E_SYNTAX]
[SqlException
Unexpected end of command in statement
valid PostgreSQL result
pg_exec() [:
[SQL Server]
[SQLITE_ERROR]
Microsoft OLE DB Provider for ODBC Drivers
PostgreSQL
org.hsqldb.jdbc
ADODB.Field (0x800A0BCD)
SQL syntax
System.Data.SqlClient.SqlException
Data type mismatch in criteria expression.
Driver
DB2 SQL error
Sybase message:
ORA-
[Microsoft][ODBC SQL Server Driver]
'80040e14'
Microsoft OLE DB Provider for SQL Server
in query expression
Npgsql.
valid MySQL result
supplied argument is not a valid PostgreSQL result
db2_
Ingres SQLSTATE
Column count doesn't match
Warning
[Microsoft][ODBC Microsoft Access Driver]
[Macromedia][SQLServer JDBC Driver]
<b>Warning</b>: ibase_
Roadhouse.Cms.
DB2 SQL error:
SQLSTATE[
MySQLSyntaxErrorException
check the manual that corresponds to your MySQL server version
check the manual that fits your MySQL server version
check the manual that corresponds to your MariaDB server version
check the manual that fits your MariaDB server version
check the manual that corresponds to your Drizzle server version
check the manual that fits your Drizzle server version
Zend_Db_Adapter_Mysqli_Exception
Zend_Db_Statement_Mysqli_Exception
MySqlException
Syntax error or access violation
MemSQL does not support this type of query
is not supported by MemSQL
unsupported nested scalar subselect
PG::SyntaxError:
syntax error at or near
ERROR: parser: parse error at or near
org.postgresql.jdbc
PSQLException
System.Data.SqlClient.SqlConnection.OnError
Microsoft SQL Native Client error
com.jnetdirect.jsql
macromedia.jdbc.sqlserver
Zend_Db_Adapter_Sqlsrv_Exception
Zend_Db_Statement_Sqlsrv_Exception
com.microsoft.sqlserver.jdbc
SQLSrvException
SQLServerException
quoted string not properly terminated
SQL command not properly ended
macromedia.jdbc.oracle
oracle.jdbc
Zend_Db_Adapter_Oracle_Exception
Zend_Db_Statement_Oracle_Exception
OracleException
com.ibm.db2.jcc
Zend_Db_Adapter_Db2_Exception
Zend_Db_Statement_Db2_Exception
ibm_db_dbi.ProgrammingError
Informix ODBC Driver
ODBC Informix driver
weblogic.jdbc.informix
IfxException
org.firebirdsql.jdbc
Microsoft.Data.SQLite.SQLiteException
SQLite error
sqlite3.OperationalError:
SQLite3::SQLException
org.sqlite.JDBC
DriverSapDB
com.sap.dbtech.jdbc
Invalid keyword or missing delimiter
SybSQLException
Sybase.Data.AseClient
com.sybase.jdbc
com.ingres.gcf.jdbc
com.frontbase.jdbc
Syntax error 1. Missing
Semantic error
org.h2.jdbc
[42000-192]
[MonetDB][ODBC Driver
nl.cwi.monetdb.jdbc
Syntax error: Encountered
org.apache.derby
ERROR 42X01
com.vertica.jdbc
org.jkiss.dbeaver.ext.vertica
com.vertica.dsi.dataengine
com.mckoi.JDBCDriver
com.mckoi.database.jdbc
com.facebook.presto.jdbc
io.prestosql.jdbc
com.simba.presto.jdbc
UNION query has different number of fields:
Altibase.jdbc.driver
com.mimer.jdbc
Syntax error: failed at position
io.crate.client.jdbc
encountered after end of query
A comparison operator is required here
-10048: Syntax error
SQ074: Line
SR185: Undefined procedure
SQ200: No table
Virtuoso S0002 Error
[Virtuoso Driver][Virtuoso Server]
[Virtuoso iODBC Driver][Virtuoso Server]
Conversion failed when converting the varchar value
invalid input syntax for integer:
XPATH syntax error:

35
nginx/modsec/owasp-crs/rules/ssrf-no-scheme.data Normal file
View File

@ -0,0 +1,35 @@
# SSRF patterns without schemes
#
# This file contains localhost and internal DNS names that are commonly used
# in SSRF attacks. These patterns are checked without URI schemes to catch
# cases where frameworks automatically prepend 'http://' or 'https://'.
#
# Sources:
# - https://gist.githubusercontent.com/jhaddix/78cece26c91c6263653f31ba453e273b/raw/a4869d58a5ce337d1465c2d1b29777b9eecd371f/cloud_metadata.txt
# - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
# - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
# - https://github.com/assetnote/blind-ssrf-chains
# - https://github.com/coreruleset/coreruleset/issues/4427
# Standard hosts aliases
localhost/
localhost.localdomain/
localhost4/
localhost4.localdomain4/
ipv6-localhost/
ip6-loopback/
# Docker based aliases
host.docker.internal/
gateway.docker.internal/
kubernetes.docker.internal/
# Podman
host.containers.internal/
# K8s API local service
kubernetes.default.svc.cluster.local/
# Testing services
localtest.me/
lvh.me/

178
nginx/modsec/owasp-crs/rules/ssrf.data Normal file
View File

@ -0,0 +1,178 @@
# Sources:
# - https://gist.githubusercontent.com/jhaddix/78cece26c91c6263653f31ba453e273b/raw/a4869d58a5ce337d1465c2d1b29777b9eecd371f/cloud_metadata.txt
# - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
# - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
# - https://github.com/assetnote/blind-ssrf-chains
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
#
# To fully protect, use IMDSv2 (see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/)
http://instance-data/latest/
http://169.254.169.254/latest/
# Common evasion techniques:
http://2852039166/latest/
http://025177524776/latest/
http://0251.0376.0251.0376/latest/
http://0xA9.0xFE.0xA9.0xFE/latest/
http://0xA9FEA9FE/latest/
http://0251.254.169.254/latest/
http://[::ffff:a9fe:a9fe]/latest/
http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/
http://[0:0:0:0:0:ffff:169.254.169.254]/latest/
http://169.254.169.254.nip.io/latest/
http://nicob.net/redir-http-169.254.169.254:80-
# http://127.0.0.1
http://2130706433/
# http://192.168.0.1
http://3232235521/
# http://192.168.1.1
http://3232235777/
# http://169.254.169.254
http://2852039166/
# IPv6 base
http://[::]:
# localhost bypass
http://localtest.me
http://127.0.0.1.nip.io
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
http://127.0.0.1
http://0.0.0.0
http://localhost
http://0177.0.0.1/
http://[::1]
http://[0000::1]
http://[::ffff:127.0.0.1]
http://[0:0:0:0:0:ffff:127.0.0.1]
http://0/
http://127.1
http://127.0.1
http:127.0.0.1
# AWS ECS
http://169.254.170.2/v2
## Google Cloud
# https://cloud.google.com/compute/docs/metadata/overview
# - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
# Common evasion techniques:
http://2852039166/computeMetadata/v1/
http://025177524776/computeMetadata/v1/
http://0251.0376.0251.0376/computeMetadata/v1/
http://[::ffff:a9fe:a9fe]/computeMetadata/v1/
http://[0:0:0:0:0:ffff:a9fe:a9fe]/computeMetadata/v1/
http://[0:0:0:0:0:ffff:169.254.169.254]/computeMetadata/v1/
http://169.254.169.254.nip.io/computeMetadata/v1/
http://0xA9.0xFE.0xA9.0xFE/computeMetadata/v1/
http://0xA9FEA9FE/computeMetadata/v1/
http://0251.254.169.254/computeMetadata/v1/
# Google gopher SSRF
gopher://metadata.google.internal
# Google allows recursive pulls
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
## Google
# Beta does NOT require a header atm
http://metadata.google.internal/computeMetadata/v1beta1/
## Digital Ocean
# https://developers.digitalocean.com/documentation/metadata/
http://169.254.169.254/metadata/v1.json
# This other prefix will be used from Azure: http://169.254.169.254/metadata/v1/
## Packetcloud
https://metadata.packet.net/userdata
## Azure
#
# To be effective, these also have to:
#
# - contain the header Metadata: true
# - not contain an X-Forwarded-For header
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
# Common evasion techniques:
http://2852039166/metadata/v1/
http://025177524776/metadata/v1/
http://0251.0376.0251.0376/metadata/v1/
http://[::ffff:a9fe:a9fe]/metadata/v1/
http://[0:0:0:0:0:ffff:a9fe:a9fe]/metadata/v1/
http://[0:0:0:0:0:ffff:169.254.169.254]/metadata/v1/
http://169.254.169.254.nip.io/metadata/v1/
http://0xA9.0xFE.0xA9.0xFE/metadata/v1/
http://0xA9FEA9FE/metadata/v1/
http://0251.254.169.254/metadata/v1/
## OpenStack/RackSpace
http://169.254.169.254/openstack
## HP Helion
# (header required? unknown)
http://169.254.169.254/2009-04-04/meta-data/
## Oracle Cloud
http://192.0.0.192/latest/
## Alibaba
http://100.100.100.200/latest/meta-data/
# Rancher metadata
http://rancher-metadata/
# Local Docker
http://127.0.0.1:2375
http://2130706433:2375/
http://[::]:2375/
http://[0000::1]:2375/
http://[0:0:0:0:0:ffff:127.0.0.1]:2375/
http://2130706433:2375/
http://017700000001:2375/
http://0x7f000001:2375/
http://0xc0a80014:2375/
# Kubernetes etcd
http://127.0.0.1:2379
# Enclosed alphanumerics
http://169。254。169。254
http://169。254。169。254
http://⑯⑨。②⑤④。⑯⑨。②⑤④
http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ
http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ
http://②⑧⑤②⓪③⑨①⑥⑥
http://④②⑤。⑤①⓪。④②⑤。⑤①⓪
http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥
http://⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥
http://[::①⑥⑨。②⑤④。⑯⑨。②⑤④]
http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]
http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧
http://⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②
http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②
http://⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧
# Java only blind ssrf
jar:http://127.0.0.1!/
jar:https://127.0.0.1!/
jar:ftp://127.0.0.1!/
# Other PL1 protocols
gopher://127.0.0.1
gopher://localhost
# AWS Lambda
http://localhost:9001/2018-06-01/runtime/

20
nginx/modsec/owasp-crs/rules/unix-shell-builtins.data Normal file
View File

@ -0,0 +1,20 @@
# Unix Shell Builtins
alias
builtin
chdir
done
endif
endsw
esac
eval
export
fg
fi
foreach
function
history
hup
repeat
set
setenv
zmodload

711
nginx/modsec/owasp-crs/rules/unix-shell.data Normal file
View File

@ -0,0 +1,711 @@
# This list has generic unix shell variables, shells and commands that affect Unix systems.
# To generate the list, we get the data from all places first. Strip or add the path to commands so it begins with `bin`.
# Sort the file content ascending, and remove duplicate lines.
#
# Data comes from multiple places, listed below.
# - Binaries:
# - GTFOBins. Update list using `curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/GTFOBins/GTFOBins.github.io/contents/_gtfobins | jq '.[].name' | grep '.md' | tr -d '"' | cut -f1 -d.`
# - Shell lists:
# - https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/etc.html
# - https://en.wikipedia.org/wiki/Unix_shell
# - https://hyperpolyglot.org/unix-shells
# - Generic shell variables (Ad-Hoc for now, needs references)
# - Generic /etc and /dev files (Ad-Hoc, needs references)
# - Compression and decompression utilities present on Arch Linux (as of 2022-08-02) and Debian 11
${CDPATH}
${DIRSTACK}
${HOME}
${HOSTNAME}
${IFS}
${OLDPWD}
${OSTYPE}
${PATH}
${PWD}
${SHELL}
$CDPATH
$DIRSTACK
$HOME
$HOSTNAME
$IFS
$OLDPWD
$OSTYPE
$PATH
$PWD
$SHELL
bin/7z
bin/7za
bin/7zr
bin/7zx
bin/aa-
bin/ab
bin/auditctl
bin/aurepot
bin/ausearch
bin/addgroup
bin/adduser
bin/agetty
bin/alpine
bin/ansible
bin/apparmor_
bin/apt
bin/apt-get
bin/aptitude
bin/ar
bin/arch
bin/aria2c
bin/arj
bin/arjdisp
bin/arj-register
bin/arp
bin/as
bin/ascii-xfr
bin/ascii85
bin/ash
bin/aspell
bin/at
bin/atobm
bin/awk
bin/axel
bin/aws
bin/base32
bin/base64
bin/basename
bin/basenc
bin/bash
bin/batch
bin/blkid
bin/bpftrace
bin/breaksw
bin/bridge
bin/brwap
bin/bsdcat
bin/bsdiff
bin/bsdtar
bin/bundler
bin/bunzip2
bin/busctl
bin/busybox
bin/byebug
bin/byobu
bin/bzcat
bin/bzcmp
bin/bzdiff
bin/bzegrep
bin/bzexe
bin/bzfgrep
bin/bzgrep
bin/bzip2
bin/bzip2recover
bin/bzless
bin/bzmore
bin/bzz
bin/c89
bin/c89-gcc
bin/c99
bin/c99-gcc
bin/cancel
bin/capsh
bin/cat
bin/cc
bin/certbot
bin/chattr
bin/check_by_ssh
bin/check_cups
bin/check_log
bin/check_memory
bin/check_raid
bin/check_ssl_cert
bin/check_statusfile
bin/chef
bin/chef-
bin/chflags
bin/chgrp
bin/chmod
bin/choom
bin/chown
bin/chpass
bin/chgpasswd
bin/chroot
bin/chsh
bin/clang
bin/clang++
bin/cmp
bin/cobc
bin/cobcrun
bin/column
bin/comm
bin/command
bin/composer
bin/compress
bin/coproc
bin/core_perl/zipdetails
bin/cowsay
bin/cowthink
bin/cp
bin/cpan
bin/cpio
bin/cpulimit
bin/crash
bin/cron
bin/crontab
bin/cscli
bin/csh
bin/csplit
bin/csvtool
bin/cupsfilter
bin/curl
bin/cut
bin/dash
bin/date
bin/df
bin/dd
bin/dhclient
bin/dialog
bin/diff
bin/dig
bin/dir
bin/dmesg
bin/dmidecode
bin/dmsetup
bin/dnf
bin/doas
bin/docker
bin/docker-
bin/dosbox
bin/dpkg
bin/dpkg-
bin/du
bin/dvips
bin/e2fsck
bin/easy_install
bin/eb
bin/echo
bin/ed
bin/efax
bin/egrep
bin/emacs
bin/env
bin/env-update
bin/eqn
bin/es
bin/esh
bin/ex
bin/exec
bin/exiftool
bin/expand
bin/expect
bin/expr
bin/facter
bin/fc
bin/fdfind
bin/fdisk
bin/fdmount
bin/fdumount
bin/fetch
bin/fgrep
bin/file
bin/filetest
bin/find
bin/finger
bin/fish
bin/flock
bin/fmt
bin/fold
bin/fping
bin/fping6
bin/ftp
bin/ftpstats
bin/ftpwho
bin/gawk
bin/gcc
bin/gcore
bin/gdb
bin/gem
bin/genie
bin/genisoimage
bin/GET
bin/HEAD
bin/POST
bin/getcap
bin/getfacl
bin/ghc
bin/ghc-
bin/ghci
bin/ghci-
bin/gimp
bin/ginsh
bin/git
bin/go
bin/gpg
bin/grc
bin/grcat
bin/grep
bin/groupmod
bin/gtester
bin/gunzip
bin/gzcat
bin/gzexe
bin/gzip
bin/hash
bin/hd
bin/head
bin/hexdump
bin/highlight
bin/hostid
bin/hostname
bin/hping3
bin/htdigest
bin/htop
bin/htpasswd
bin/iconv
bin/id
bin/ifconfig
bin/iftop
bin/install
bin/ionice
bin/ip
bin/ip6tables
bin/ipconfig
bin/ippeveprinter
bin/ippfind
bin/ipptool
bin/iptables
bin/irb
bin/ispell
bin/java
bin/jexec
bin/jjs
bin/jobs
bin/join
bin/journalctl
bin/jq
bin/jrunscript
bin/kill
bin/killall
bin/knife
bin/ksh
bin/ksshell
bin/last
bin/lastcomm
bin/lastlog
bin/lastlogin
bin/latex
bin/ld
bin/ldconfig
bin/ldd
bin/less
bin/lessecho
bin/lessfile
bin/lesspipe
bin/lftp
bin/lftpget
bin/links
bin/ln
bin/local
bin/locate
bin/loginctl
bin/logname
bin/logsave
bin/look
bin/losetup
bin/lp
bin/ls
bin/ls-F
bin/lsb_release
bin/lscpu
bin/lshw
bin/lsmod
bin/lsof
bin/lspci
bin/lsusb
bin/ltrace
bin/lua
bin/lualatex
bin/luatex
bin/lwp-download
bin/lwp-dump
bin/lwp-mirror
bin/lwp-request
bin/lynx
bin/lz
bin/lz4
bin/lz4c
bin/lz4cat
bin/lzcat
bin/lzcmp
bin/lzdiff
bin/lzegrep
bin/lzfgrep
bin/lzgrep
bin/lzless
bin/lzma
bin/lzmadec
bin/lzmainfo
bin/lzmore
bin/mail
bin/mailq
bin/mailx
bin/make
bin/man
bin/mawk
bin/mkdir
bin/mkfifo
bin/mknod
bin/mktemp
bin/mlocate
bin/more
bin/mosquitto
bin/mount
bin/msgattrib
bin/msgcat
bin/msgconv
bin/msgfilter
bin/msgmerge
bin/msguniq
bin/mtr
bin/mutt
bin/mv
bin/mysql
bin/mysqladmin
bin/mysqldump
bin/mysqldumpslow
bin/mysqlhotcopy
bin/mysqlshow
bin/nano
bin/nasm
bin/nawk
bin/nc
bin/nc.openbsd
bin/nc.traditional
bin/ncat
bin/neofetch
bin/net
bin/netcat
bin/netkit-ftp
bin/netplan
bin/netstat
bin/nice
bin/nl
bin/nm
bin/nmap
bin/node
bin/nohup
bin/nping
bin/npm
bin/nroff
bin/nsenter
bin/nslookup
bin/nstat
bin/octave
bin/od
bin/onintr
bin/openssl
bin/openvpn
bin/openvt
bin/opkg
bin/pacman
bin/parted
bin/passwd
bin/paste
bin/patch
bin/pax
bin/pdb
bin/pdb2mb
bin/pdb3
bin/pdb3.
bin/pdflatex
bin/pdftex
bin/pdksh
bin/perf
bin/perl
bin/perl5
bin/perlsh
bin/perms
bin/pf
bin/pftp
bin/pg
bin/pgrep
bin/php
bin/php-cgi
bin/php5
bin/php7
bin/pic
bin/pico
bin/pidstat
bin/pigz
bin/ping
bin/ping6
bin/pip
bin/pkexec
bin/pkg
bin/pkg_info
bin/pkginfo
bin/pkill
bin/popd
bin/pr
bin/printenv
bin/printf
bin/pry
bin/ps
bin/psed
bin/psftp
bin/psql
bin/ptar
bin/ptardiff
bin/ptargrep
bin/ptx
bin/puppet
bin/pushd
bin/pwd
bin/pxz
bin/python
bin/python2
bin/python3
bin/pyversions
bin/py3versions
bin/rake
bin/raku
bin/rar
bin/rbash
bin/rc
bin/rcp
bin/readelf
bin/realpath
bin/reboot
bin/red
bin/redcarpet
bin/rename
bin/replace
bin/restic
bin/rev
bin/rlogin
bin/rlwrap
bin/rm
bin/rmdir
bin/rmuser
bin/rnano
bin/route
bin/rpm
bin/rpmdb
bin/rpmquery
bin/rpmverify
bin/rsync
bin/rsync-ssl
bin/ruby
bin/runc
bin/run-mailcap
bin/run-parts
bin/rview
bin/rvim
bin/sash
bin/sched
bin/scp
bin/screen
bin/script
bin/sdiff
bin/sed
bin/sendmail
bin/service
bin/setarch
bin/setcap
bin/setfacl
bin/setsid
bin/sftp
bin/sg
bin/sh
bin/sh.distrib
bin/shuf
bin/shutdown
bin/sleep
bin/slsh
bin/smbclient
bin/snap
bin/socat
bin/soelim
bin/sort
bin/source
bin/split
bin/sqlite3
bin/ss
bin/ssh
bin/ssh-add
bin/ssh-agent
bin/ssh-copy-id
bin/ssh-keygen
bin/ssh-keyscan
bin/sshpass
bin/start-stop-daemon
bin/stdbuf
bin/strace
bin/strings
bin/su
bin/sudo
bin/sudoedit
bin/sudoreplay
bin/sudo-rs
bin/sudo_
bin/svn
bin/svnadmin
bin/svnauthz
bin/svnbench
bin/svndumpfilter
bin/svnfsfs
bin/svnlook
bin/svnmucc
bin/svnrdump
bin/svnserve
bin/svnsync
bin/svnversion
bin/sysctl
bin/systemctl
bin/systemd-resolve
bin/tac
bin/tail
bin/tailf
bin/tar
bin/task
bin/taskset
bin/tbl
bin/tclsh
bin/tcpdump
bin/tcping
bin/tcptraceroute
bin/tcsh
bin/tee
bin/telnet
bin/tex
bin/tftp
bin/tic
bin/time
bin/timedatectl
bin/timeout
bin/tmux
bin/top
bin/touch
bin/traceroute
bin/traceroute6
bin/troff
bin/trap
bin/tshark
bin/ul
bin/ulimit
bin/uname
bin/uncompress
bin/unexpand
bin/uniq
bin/unlink
bin/unlz4
bin/unlzma
bin/unpigz
bin/unrar
bin/unset
bin/unshare
bin/unxz
bin/unzip
bin/unzstd
bin/up2date
bin/update-alternatives
bin/useradd
bin/userdel
bin/usermod
bin/uudecode
bin/uuencode
bin/valgrind
bin/vi
bin/view
bin/vigr
bin/vim
bin/vimdiff
bin/vipw
bin/virsh
bin/visudo
bin/visudo-rs
bin/volatility
bin/w
bin/w3m
bin/wall
bin/watch
bin/wc
bin/wget
bin/whiptail
bin/who
bin/whoami
bin/whois
bin/wireshark
bin/wish
bin/xargs
bin/xelatex
bin/xetex
bin/xmodmap
bin/xmore
bin/xpad
bin/xterm
bin/xxd
bin/xz
bin/xzcat
bin/xzcmp
bin/xzdec
bin/xzdiff
bin/xzegrep
bin/xzfgrep
bin/xzgrep
bin/xzless
bin/xzmore
bin/yarn
bin/yelp
bin/yes
bin/yum
bin/zathura
bin/zcat
bin/zcmp
bin/zdiff
bin/zegrep
bin/zfgrep
bin/zgrep
bin/zip
bin/zipcloak
bin/zipcmp
bin/zipdetails
bin/zipgrep
bin/zipinfo
bin/zipmerge
bin/zipnote
bin/zipsplit
bin/ziptool
bin/zless
bin/zmore
bin/zrun
bin/zsh
bin/zsoelim
bin/zstd
bin/zstdcat
bin/zstdgrep
bin/zstdless
bin/zstdmt
bin/zypper
dev/fd
dev/null
dev/stderr
dev/stdin
dev/stdout
dev/tcp
dev/udp
dev/zero
etc/alternatives/rmt
etc/group
etc/master.passwd
etc/passwd
etc/pwd.db
etc/rmt
etc/shadow
etc/shells
etc/spwd.db
proc/self
sbin/capsh
sbin/logsave
sbin/rmt
sbin/rmt-dump
sbin/rmt-tar
sbin/service
sbin/start-stop-daemon

23
nginx/modsec/owasp-crs/rules/web-shells-asp.data Normal file
View File

@ -0,0 +1,23 @@
# This list contains patterns of various web shells, backdoors and similar
# software written in ASP language. There is no way how to automatically update
# this list, so it must be done by hand. Here is a recommended way how to add
# new malicious software:
# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
# software (ideally in an isolated environment) and catch the output.
# 2.) In the output, search for static pattern unique enough to match only
# the software in question and to not do any FPs. The best pick is usually
# a part of HTML code with software name.
# 3.) Include software name and URL (if available) in the comment above
# the pattern.
#
# Data comes from multiple places of which some doesn't work anymore. Few are
# listed below:
# - https://www.localroot.net/
# - Google search (keywords like webshells, asp backdoor and similar)
# Akmal archtte id ASPX shell
<title>Webshell Akmal archtte id</title>
# ASPYDrv shell
<html><title>ASPYDrvsInfo</title>
# RHTOOLS shell
<html><head><title>RHTOOLS

167
nginx/modsec/owasp-crs/rules/web-shells-php.data Normal file
View File

@ -0,0 +1,167 @@
# This list contains patterns of various web shells, backdoors and similar
# software written in PHP language. There is no way how to automatically update
# this list, so it must be done by hand. Here is a recommended way how to add
# new malicious software:
# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
# software (ideally in an isolated environment) and catch the output.
# 2.) In the output, search for static pattern unique enough to match only
# the software in question and to not do any FPs. The best pick is usually
# a part of HTML code with software name.
# 3.) Include software name and URL (if available) in the comment above
# the pattern.
#
# Data comes from multiple places of which some doesn't work anymore. Few are
# listed below:
# - https://github.com/JohnTroony/php-webshells/tree/master/Collection
# - https://www.localroot.net/
# - Google search (keywords like webshells, php backdoor and similar)
# 1n73ction web shell
<title>=[ 1n73ct10n privat shell ]=</title>
# Ajax/PHP Command Shell web shell
>Ajax/PHP Command Shell<
# AK-74 Security Team Web-shell
.:: :[ AK-74 Security Team Web-shell ]: ::.
# ALFA-SHELL web shell (deprecated, https://github.com/solevisible)
~ ALFA TEaM Shell -
# Andela Yuwono Priv8 Shell web shell
<title>--==[[ Andela Yuwono Priv8 Shell ]]==--</title>
# Ani-Shell web shell (https://ani-shell.sourceforge.net/)
<title>Ani-Shell | India</title>
# AnonymousFox PHP web shell
<input type='submit' value='file' /></form>AnonymousFox
# Antichat Shell web shell
- Antichat Shell</title>
# AYT web shell
Ayyildiz Tim | AYT
# b374k web shell (https://github.com/b374k/b374k)
<link rel='SHORTCUT ICON' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoV2luZG93cykiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6MkRFNDY2MDQ4MDgyMTFFM0FDRDdBN0MzOTAxNzZFQUYiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6MkRFNDY2MDU4MDgyMTFFM0FDRDdBN0MzOTAxNzZFQUYiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDoyREU0NjYwMjgwODIxMUUzQUNEN0E3QzM5MDE3NkVBRiIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDoyREU0NjYwMzgwODIxMUUzQUNEN0E3QzM5MDE3NkVBRiIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/Pu6UWJYAAAKySURBVHjafFNdSJNhFH7e/fhDkrm2i03QphsxhYSgMIUgIeiiK6/SCAKTKNlFoEtBRfEvXYhM+0GQMtMUL7qSgqS0QCNKTDS6cJWGi6n577Zv3/e+b+934ZgxPfDBd3jP85xznnOOzufz4SCr7R7knKOg4eaVd9WPBgsZY/3NZcWJ0TGaaKeuZzgz2ueMgFF+p6WnL0OAjzMK+f8k+wg4xXxN91D5ns8ok8CRH5S2GogS8HBKk1xud+uBBIwpm5zyRvW/+sHAJuM8nsrMIElHi0/aHAmFl/OI2WRyOevrK/YwJFoD0ecFkfWthpDNRH1Cct4ZOzRaglX/DsY+TcNqTUd2phEjo1OiWg5KKUhJTbua6XTT7SKvSlLpGWB6DUjuWQeW/m4iJIWho8DvBT+2tgOwpZsxM/tm/sn9Trsar2OMq6rOV3X19wncJUNSEsnKSsWifx0BKYTgdhDxiENBfjZCuxJejX0W4frZiAZNZUVxVKYfmcyuKTI15ZxKw4IA74aCCIiMeqZDptWIuV8+hAkXOlFo9eaLNyrvOfdp4Gp/FjKlpMSbLMlY2dhCaCcEnUJgt5sF4QqkkIKsDAtGXn9QSThlMmFCg8gUmELpkXg99FoNwgEJ2jBBWpoBP/8sC7AMi/EY/EvLUBQJCpOMT921hDG5JkIglPd8/7EIFpShCQMnrAYsrW0gLERUwTNfv2FyaloddWmvu25NxTzvaG6MELRVXK/SgL8fHZ9AjsMCKUzFqBhSjQZAkrC6viqyy+ILdxU775bH3APVblW3j3POzuc4bGIHNPgyM4dAcFdtslT07OWcvhRVJIvVtg0/9nhJrGMqqWzpFb1eFYuiVfdbACcGOlvzYx0cOewaVStyuiY5U3JFVbahhx3eQ48plr3obDtHqSxTRZ6K9f5PgAEAm/hvADIkGOQAAAAASUVORK5CYII='>
# BloodSecurity Hackers Shell web shell
<title>BloodSecurity Hackers Shell</title>
# Bypass Attack Shell web shell
<font color='red' size='6px' face='Fredericka the Great'> Bypass Attack Shell </font>
# c0derz shell web shell
title='.::[c0derz shell]::.'>
# C99Shell + N3tShell web shell
<font face=Webdings size=6><b>!</b></font>
# Con7ext Shell V.2 web shell
<title>Con7ext Shell V.2</title>
# Crystal shell web shell
<font face="Wingdings 3" size="5">y</font><b>Crystal shell v.
# Unknown (probably private) web shell
<title>CUPLIS BYPASSS SHELL</title>
# CWShell web shell
~ CWShell ~</font></a>
# dC3 Security Crew web shell
&dir&pic=o.b height= width=>
# Defacing Tool Pro web shell
<b>[ Defacing Tool Pro v
# Dive Shell web shell
<title>Dive Shell - Emperor Hacking Team</title>
# easy simple php web shell
<script>document.getElementById("cmd").focus();</script>
# ex0 shell web shell
color=DeepSkyBlue size=6> ## ex0 shell
# FaTaLSheLL web shell
<p align="center" class="style4">FaTaLSheLL v
# G-Security Webshell
<title>G-Security Webshell</title>
# Gecko web shell
<title>Gecko [
# h4ntu shell web shell
<title>h4ntu shell [powered by tsoi]</title>
# IDBTEAM SHELLS file manager
<H1><center>-=[+] IDBTEAM SHELLS
# IndoXploit web shell
<title>IndoXploit</title>
# KA_uShell web shell
<KAdot Universal Shell> |
## Laudanum PHP Web Shells (http://sourceforge.net/projects/laudanum)
# Laudanum dns.php
<title>Laudanum PHP DNS Access</title>
# Laudanum file.php
<title>Laudanum PHP File Browser</title>
# Laudanum host.php
<title>Laudanum PHP Hostname by IP Lookup</title>
# Laudanum proxy.php
<title>Laudanum PHP Proxy</title>
# Laudanum shell.php
<title>Laudanum PHP Shell Access</title>
## Laudanum WordPress Plugin settings.php
<h2>Laudanum Tools</h2>
# Lifka Shell web shell
>LIFKA SHELL</span></big></big></big></a>
# Loader'z web shell
<title>Loader'z WEB shell</title>
# Locus7Shell web shell
b>--[ x2300 Locus7Shell v.
# Lolipop web shell
<title>Lolipop.php - Edited By KingDefacer -
# MARIJUANA web shell (https://0x5a455553.github.io/MARIJUANA/)
<link rel="icon" href="//0x5a455553.github.io/MARIJUANA/icon.png" />
# Matamu Mat web shell
<title> Matamu Mat </title>
# MyShell web shell
<b>MyShell</b> &copy;2001 Digitart Producciones</a>
# NCC Shell web shell
<h1>.:NCC:. Shell v
# PHPShell by Macker web shell
<font size=3>PHPShell by Macker - Version
# PHPShell by MAX666 web shell
PHPShell by MAX666, Private Exploit, For Server Hacking
# qsd web shell
<form action="" METHOD="GET" >Execute Shell Command (safe mode is off): <input type="text" name="c"><input type="submit" value="Go"></form>
# Rootshell web shell
<p align="center"><font face="Verdana" size="2">Rootshell v
# rusuh web shell
<font color=lime>./rusuh</font>
# Safe0ver web shell
<font color="navy"><strong>##Safe0ver##</strong></font>
# Shany's web shell
<center><h1>Watch Your system Shany was here.</h1></center><center><h1>Linux Shells</h1></center><hr><hr>
# Simple PHP backdoor web shell
<!-- Simple PHP backdoor by DK
# SimShell web shell
<title>SimShell - Simorgh Security MGZ</title>
# Sincap web shell
<title>:: AventGrup ::.. - Sincap
# Small Shell file manager
<title>Small Shell - Edited By KingDefacer</title>
# Small Web Shell
<title>small web shell by zaco
# SoldiersofAllah Private Shell web shell
<title>SoldiersofAllah Private Shell |
# Sosyete web shell
<title>Sosyete Safe Mode Bypass Shell -
# STNC WebShell
&nbsp;&nbsp;STNC&nbsp;WebShell&nbsp;
# StresBypass shell web shell
<font face="Wingdings 3" size="5">y</font><b>StresBypass<span lang="en-us">v
# SyRiAn Sh3ll web shell
<title>SyRiAn Sh3ll ~
# Tiny File Manager
<title>Tiny File Manager</title>
# Turk Shell web shell
<head><title>Wardom | Ne Mutlu T
# Unknown web shell
<hr>to browse go to http://?d=[directory here]
# Ustadcage48 Filemanager
<font color="red">USTADCAGE_48</font> <font color="dodgerblue">FILE MANAGER</font>
# WebRoot Hack Tools shell
<title>WebRoot Hack Tools</title>
# web shell by BLaSTER
<div align="center"><span class="style6">By BLaSTER</span><br />
# WinX Shell web shell
<head><title>-:[GreenwooD]:- WinX Shell</title>
# wwwolf web shell
<sup><a href="#" onclick="cmd.value=''; cmd.focus(); return false;">Clear cmd</a></sup>
# Yourman.sh Mini Shell web shell
<title>Yourman.sh Mini Shell</title>
# Zerion Mini Shell web shell
</div><center><br />Zerion Mini Shell <font color=
# Zero Byte Mini Shell V2 web shell
<title>0byt3m1n1-V2</title>
# Zerostore web shell
<title>ZEROSHELL | ZEROSTORE</title>
# Unknown web shell
<input type=submit name=find value='find writeable'>

425
nginx/modsec/owasp-crs/rules/windows-powershell-commands.data Normal file
View File

@ -0,0 +1,425 @@
# Sources:
# Microsoft PowerShell Docs: https://github.com/MicrosoftDocs/PowerShell-Docs
# - curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/MicrosoftDocs/PowerShell-Docs/git/trees/main\?recursive\=1 | jq -r '.tree[] .path | capture("reference/\\d.\\d/(.*)/(?<fn>[A-Z]\\w+-\\w+).md") | .fn' | sort | uniq
powershell
Add-Computer
Add-Content
Add-History
Add-JobTrigger
Add-LocalGroupMember
Add-Member
Add-PSSnapin
Add-Type
Checkpoint-Computer
Clear-Content
Clear-EventLog
Clear-History
Clear-Host
Clear-Item
Clear-ItemProperty
Clear-RecycleBin
Clear-Variable
Compare-Object
Complete-Transaction
Compress-Archive
Connect-PSSession
Connect-WSMan
Convert-Path
Convert-String
ConvertFrom-Csv
ConvertFrom-Json
ConvertFrom-Markdown
ConvertFrom-SddlString
ConvertFrom-SecureString
ConvertFrom-String
ConvertFrom-StringData
ConvertTo-Csv
ConvertTo-Html
ConvertTo-Json
ConvertTo-SecureString
ConvertTo-Xml
Copy-Item
Copy-ItemProperty
Debug-Job
Debug-Process
Debug-Runspace
Disable-ComputerRestore
Disable-ExperimentalFeature
Disable-JobTrigger
Disable-LocalUser
Disable-PSBreakpoint
Disable-PSRemoting
Disable-PSSessionConfiguration
Disable-PSTrace
Disable-PSWSManCombinedTrace
Disable-RunspaceDebug
Disable-ScheduledJob
Disable-WSManCredSSP
Disable-WSManTrace
Disconnect-PSSession
Disconnect-WSMan
Enable-ComputerRestore
Enable-ExperimentalFeature
Enable-JobTrigger
Enable-LocalUser
Enable-PSBreakpoint
Enable-PSRemoting
Enable-PSSessionConfiguration
Enable-PSTrace
Enable-PSWSManCombinedTrace
Enable-RunspaceDebug
Enable-ScheduledJob
Enable-WSManCredSSP
Enable-WSManTrace
Enter-PSHostProcess
Enter-PSSession
Exit-PSHostProcess
Exit-PSSession
Expand-Archive
Export-Alias
Export-BinaryMiLog
Export-Clixml
Export-Console
Export-Counter
Export-Csv
Export-FormatData
Export-ModuleMember
Export-ODataEndpointProxy
Export-PSSession
Find-Command
Find-DscResource
Find-Module
Find-Package
Find-PackageProvider
Find-RoleCapability
Find-Script
ForEach-Object
Format-Custom
Format-Hex
Format-List
Format-Table
Format-Wide
Get-Acl
Get-Alias
Get-AuthenticodeSignature
Get-ChildItem
Get-CimAssociatedInstance
Get-CimClass
Get-CimInstance
Get-CimSession
Get-Clipboard
Get-CmsMessage
Get-Command
Get-ComputerInfo
Get-ComputerRestorePoint
Get-Content
Get-ControlPanelItem
Get-Counter
Get-Credential
Get-Culture
Get-Date
Get-Error
Get-Event
Get-EventLog
Get-EventSubscriber
Get-ExecutionPolicy
Get-ExperimentalFeature
Get-FileHash
Get-FormatData
Get-Help
Get-History
Get-Host
Get-HotFix
Get-InstalledModule
Get-InstalledScript
Get-IseSnippet
Get-Item
Get-ItemProperty
Get-ItemPropertyValue
Get-Job
Get-JobTrigger
Get-LocalGroup
Get-LocalGroupMember
Get-LocalUser
Get-Location
Get-LogProperties
Get-MarkdownOption
Get-Member
Get-Module
Get-OperationValidation
Get-PSBreakpoint
Get-PSCallStack
Get-PSDrive
Get-PSHostProcessInfo
Get-PSProvider
Get-PSReadLineKeyHandler
Get-PSReadLineOption
Get-PSRepository
Get-PSSession
Get-PSSessionCapability
Get-PSSessionConfiguration
Get-PSSnapin
Get-PSSubsystem
Get-Package
Get-PackageProvider
Get-PackageSource
Get-PfxCertificate
Get-Process
Get-Random
Get-Runspace
Get-RunspaceDebug
Get-ScheduledJob
Get-ScheduledJobOption
Get-Service
Get-TimeZone
Get-TraceSource
Get-Transaction
Get-TypeData
Get-UICulture
Get-Unique
Get-Uptime
Get-Variable
Get-Verb
Get-WSManCredSSP
Get-WSManInstance
Get-WinEvent
Get-WmiObject
Group-Object
Import-Alias
Import-BinaryMiLog
Import-Clixml
Import-Counter
Import-Csv
Import-IseSnippet
Import-LocalizedData
Import-Module
Import-PSSession
Import-PackageProvider
Import-PowerShellDataFile
Install-Module
Install-Package
Install-PackageProvider
Install-Script
Invoke-AsWorkflow
Invoke-CimMethod
Invoke-Command
Invoke-Expression
Invoke-History
Invoke-Item
Invoke-OperationValidation
Invoke-RestMethod
Invoke-WSManAction
Invoke-WebRequest
Invoke-WmiMethod
Join-Path
Join-String
Limit-EventLog
Measure-Command
Measure-Object
Move-Item
Move-ItemProperty
New-Alias
New-CimInstance
New-CimSession
New-CimSessionOption
New-Event
New-EventLog
New-FileCatalog
New-Guid
New-IseSnippet
New-Item
New-ItemProperty
New-JobTrigger
New-LocalGroup
New-LocalUser
New-Module
New-ModuleManifest
New-Object
New-PSDrive
New-PSRoleCapabilityFile
New-PSSession
New-PSSessionConfigurationFile
New-PSSessionOption
New-PSTransportOption
New-PSWorkflowExecutionOption
New-PSWorkflowSession
New-ScheduledJobOption
New-ScriptFileInfo
New-Service
New-TemporaryFile
New-TimeSpan
New-Variable
New-WSManInstance
New-WSManSessionOption
New-WebServiceProxy
New-WinEvent
Out-Default
Out-File
Out-GridView
Out-Host
Out-Null
Out-Printer
Out-String
Pop-Location
Protect-CmsMessage
Publish-Module
Publish-Script
Push-Location
Read-Host
Receive-Job
Receive-PSSession
Register-ArgumentCompleter
Register-CimIndicationEvent
Register-EngineEvent
Register-ObjectEvent
Register-PSRepository
Register-PSSessionConfiguration
Register-PackageSource
Register-ScheduledJob
Register-WmiEvent
Remove-Alias
Remove-CimInstance
Remove-CimSession
Remove-Computer
Remove-Event
Remove-EventLog
Remove-Item
Remove-ItemProperty
Remove-Job
Remove-JobTrigger
Remove-LocalGroup
Remove-LocalGroupMember
Remove-LocalUser
Remove-Module
Remove-PSBreakpoint
Remove-PSDrive
Remove-PSReadLineKeyHandler
Remove-PSSession
Remove-PSSnapin
Remove-Service
Remove-TypeData
Remove-Variable
Remove-WSManInstance
Remove-WmiObject
Rename-Computer
Rename-Item
Rename-ItemProperty
Rename-LocalGroup
Rename-LocalUser
Reset-ComputerMachinePassword
Resolve-Path
Restart-Computer
Restart-Service
Restore-Computer
Resume-Job
Resume-Service
Save-Help
Save-Module
Save-Package
Save-Script
Select-Object
Select-String
Select-Xml
Send-MailMessage
Set-Acl
Set-Alias
Set-AuthenticodeSignature
Set-CimInstance
Set-Clipboard
Set-Content
Set-Date
Set-ExecutionPolicy
Set-Item
Set-ItemProperty
Set-JobTrigger
Set-LocalGroup
Set-LocalUser
Set-Location
Set-LogProperties
Set-MarkdownOption
Set-PSBreakpoint
Set-PSDebug
Set-PSReadLineKeyHandler
Set-PSReadLineOption
Set-PSRepository
Set-PSSessionConfiguration
Set-PackageSource
Set-ScheduledJob
Set-ScheduledJobOption
Set-Service
Set-StrictMode
Set-TimeZone
Set-TraceSource
Set-Variable
Set-WSManInstance
Set-WSManQuickConfig
Set-WmiInstance
Show-Command
Show-ControlPanelItem
Show-EventLog
Show-Markdown
Sort-Object
Split-Path
Start-Job
Start-Process
Start-Service
Start-Sleep
Start-ThreadJob
Start-Trace
Start-Transaction
Start-Transcript
Stop-Computer
Stop-Job
Stop-Process
Stop-Service
Stop-Trace
Stop-Transcript
Suspend-Job
Suspend-Service
Switch-Process
Tee-Object
Test-ComputerSecureChannel
Test-Connection
Test-FileCatalog
Test-Json
Test-ModuleManifest
Test-PSSessionConfigurationFile
Test-Path
Test-ScriptFileInfo
Test-WSMan
Trace-Command
Unblock-File
Undo-Transaction
Uninstall-Module
Uninstall-Package
Uninstall-Script
Unprotect-CmsMessage
Unregister-Event
Unregister-PSRepository
Unregister-PSSessionConfiguration
Unregister-PackageSource
Unregister-ScheduledJob
Update-FormatData
Update-Help
Update-List
Update-Module
Update-ModuleManifest
Update-Script
Update-ScriptFileInfo
Update-TypeData
Use-Transaction
Wait-Debugger
Wait-Event
Wait-Job
Wait-Process
Where-Object
Write-Debug
Write-Error
Write-EventLog
Write-Host
Write-Information
Write-Output
Write-Progress
Write-Verbose
Write-Warning

1
nginx/snippets/modsecurity.conf
View File

@ -1,5 +1,6 @@
# ModSecurity Engine Configuration
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
# Inclusão da Blacklist Dinâmica do Fail2Ban
include /etc/nginx/snippets/blacklist.conf;

350
scripts/deploy_pathfinder.py
View File

@ -1,92 +1,298 @@
#!/usr/bin/env python3
import os
import subprocess
import shutil
import sys
import argparse
import subprocess
import socket
import syslog
import shutil
from datetime import datetime
# Configurações
# ==============================================================================
# CONFIGURAÇÕES TÉCNICAS
# ==============================================================================
PASSWORD = "vR7Ag$Pk"
NGINX_CONF_DIR = "/etc/nginx"
NGINX_CONF_BACKUP = "/etc/nginx.bak"
FAIL2BAN_CONF_DIR = "/etc/fail2ban"
TMP_SYNC_BASE = "/tmp/pathfinder_sync"
TARGETS = {
"nginx": {
"src": f"{TMP_SYNC_BASE}/nginx/",
"dst": "/etc/nginx",
"bak": "/etc/nginx.bak",
"test_cmd": ["nginx", "-t"]
},
"fail2ban": {
"src": f"{TMP_SYNC_BASE}/fail2ban/",
"dst": "/etc/fail2ban",
"bak": "/etc/fail2ban.bak",
"test_cmd": ["fail2ban-server", "-t"] # Apenas teste de config
}
}
LOG_DIR = "/var/log/nginx"
def run_sudo(cmd):
"""Executa comando com sudo -S e retorna (rc, stdout, stderr)."""
p = subprocess.Popen(['sudo', '-S'] + cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
out, err = p.communicate(input=PASSWORD + '\n')
# Endereço IP Público do Host de Produção (para validação DNS)
HOST_PUBLIC_IP = ""
# ==============================================================================
# UTILITÁRIOS DE SISTEMA E AUDITORIA
# ==============================================================================
def log_syslog(task, function, details=""):
"""Registra a ação no Syslog para auditoria."""
try:
hostname = socket.gethostname()
remote_ip = os.environ.get('SSH_CLIENT', 'localhost').split()[0]
identity = f"PathfinderAutomator[{task}]"
msg = f"Task: {task} | Func: {function} | From: {remote_ip} | Host: {hostname} | Details: {details}"
syslog.openlog(ident=identity, facility=syslog.LOG_AUTHPRIV)
syslog.syslog(syslog.LOG_INFO, msg)
print(f"[*] [SYSLOG] {msg}")
except Exception as e:
print(f"[!] Erro ao registrar no syslog: {e}")
def run_sudo(cmd, input_data=None, capture=True):
"""Executa comando com sudo e retorna (rc, stdout, stderr)."""
full_cmd = ['sudo', '-S'] + cmd
p = subprocess.Popen(full_cmd, stdin=subprocess.PIPE,
stdout=subprocess.PIPE if capture else None,
stderr=subprocess.PIPE if capture else None,
text=True)
stdin_input = (PASSWORD + '\n')
if input_data:
stdin_input += input_data
out, err = p.communicate(input=stdin_input)
return p.returncode, out, err
def log(msg):
print(f"[*] {msg}")
def check_nginx():
"""Valida a sintaxe do Nginx."""
rc, out, err = run_sudo(['nginx', '-t'])
return rc == 0, err
def deploy():
log("Iniciando Deploy Seguro Pathfinder...")
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
# 1. Backups preventivos
for name, config in TARGETS.items():
log(f"Criando backup de {name}...")
run_sudo(['cp', '-rp', config['dst'], f"{config['bak']}_{timestamp}"])
# Mantém também um backup 'fixo' para o rollback rápido do script
run_sudo(['rm', '-rf', config['bak']])
run_sudo(['cp', '-rp', config['dst'], config['bak']])
# ==============================================================================
# LÓGICA DE BACKUP E ROLLBACK ATÔMICO
# ==============================================================================
# 2. Aplicação das novas configurações
for name, config in TARGETS.items():
if not os.path.exists(config['src']):
log(f"Aviso: Fonte {config['src']} não encontrada. Pulando {name}.")
continue
log(f"Aplicando novas configurações em {name}...")
# Copia o conteúdo da pasta temporária para o destino
run_sudo(['cp', '-rf', os.path.join(config['src'], '.'), config['dst']])
BACKUP_MAP = {} # Rastreia arquivos alterados para rollback
# 3. Validação Crítica (Nginx)
log("Validando configuração do Nginx...")
rc, out, err = run_sudo(TARGETS['nginx']['test_cmd'])
def backup_file(target_path):
"""Cria um backup .pathfinder_bak antes de qualquer alteração."""
if not os.path.exists(target_path):
return None
if rc != 0:
log("ERRO DETECTADO NA CONFIGURAÇÃO!")
print(f"\nDetalhes do Erro:\n{err}\n")
rollback()
sys.exit(1)
log("Configuração validada com sucesso.")
bak_path = f"{target_path}.pathfinder_bak"
log_syslog("BACKUP", "backup_file", f"Backup de {target_path} para {bak_path}")
rc, _, _ = run_sudo(['cp', '-rp', target_path, bak_path])
if rc == 0:
BACKUP_MAP[target_path] = bak_path
return bak_path
return None
# 4. Reinicialização de Serviços
log("Reiniciando serviços...")
run_sudo(['systemctl', 'restart', 'nginx'])
run_sudo(['systemctl', 'restart', 'fail2ban'])
log("Deploy finalizado com sucesso!")
def rollback_all():
"""Restaura todos os backups registrados caso ocorra um erro."""
log_syslog("ROLLBACK", "rollback_all", "Iniciando restauração de emergência.")
for target, bak in BACKUP_MAP.items():
print(f"[!] Restaurando {target}...")
run_sudo(['rm', '-rf', target])
run_sudo(['cp', '-rp', bak, target])
print("[*] Rollback concluído. Testando Nginx novamente...")
check_nginx()
def rollback():
log("EXECUTANDO ROLLBACK AUTOMÁTICO...")
for name, config in TARGETS.items():
log(f"Restaurando {name} do backup...")
run_sudo(['rm', '-rf', config['dst']])
run_sudo(['cp', '-rp', config['bak'], config['dst']])
# ==============================================================================
# AUXILIARES DE REDE (DNS/IP/SSL)
# ==============================================================================
def get_public_ip():
"""Tenta descobrir o IP público deste host."""
global HOST_PUBLIC_IP
if HOST_PUBLIC_IP:
return HOST_PUBLIC_IP
log("Tentando reiniciar serviços após rollback...")
run_sudo(['systemctl', 'restart', 'nginx'])
run_sudo(['systemctl', 'restart', 'fail2ban'])
log("Rollback concluído. Servidor estabilizado.")
try:
import urllib.request
with urllib.request.urlopen('https://api.ipify.org', timeout=5) as response:
HOST_PUBLIC_IP = response.read().decode('utf-8')
return HOST_PUBLIC_IP
except:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
HOST_PUBLIC_IP = s.getsockname()[0]
s.close()
return HOST_PUBLIC_IP
except:
return "127.0.0.1"
def validate_dns(domain):
"""Verifica se o domínio aponta para este host."""
my_ip = get_public_ip()
try:
domain_ip = socket.gethostbyname(domain)
if domain_ip == my_ip:
return True, domain_ip
return False, domain_ip
except socket.gaierror:
return False, "Não resolvido"
def setup_ssl(domain):
"""Executa o Certbot e configura o reload-hook para syslog."""
log_syslog("SSL", "setup_ssl", f"Iniciando Certbot para {domain}")
cert_cmd = [
'certbot', 'certonly', '--webroot',
'-w', '/var/lib/letsencrypt/',
'-d', domain, '--non-interactive', '--agree-tos',
'--email', 'admin@' + domain,
'--deploy-hook', f'logger -t CertbotRenewal "SSL Renewed for {domain} - Restarting Nginx" && systemctl reload nginx'
]
rc, out, err = run_sudo(cert_cmd)
if rc == 0:
log_syslog("SSL", "setup_ssl", f"Sucesso ao emitir certificado para {domain}")
return True
else:
log_syslog("SSL", "setup_ssl", f"FALHA ao emitir certificado para {domain}: {err}")
print(f"[!] Erro Certbot: {err}")
return False
# ==============================================================================
# FUNCIONALIDADES DO SCRIPT
# ==============================================================================
def sync_all():
"""Sincronização completa (legado)."""
log_syslog("SYNC", "sync_all", "Sincronização total de Nginx e Fail2Ban")
backup_file(NGINX_CONF_DIR)
backup_file(FAIL2BAN_CONF_DIR)
src_nginx = os.path.join(TMP_SYNC_BASE, "nginx", ".")
run_sudo(['cp', '-rf', src_nginx, NGINX_CONF_DIR])
ok, err = check_nginx()
if not ok:
print(f"[!] Erro na configuração: {err}")
rollback_all()
return False
run_sudo(['systemctl', 'reload', 'nginx'])
print("[+] Sincronização total concluída com sucesso.")
return True
def sync_item(relative_path):
"""Sincroniza um arquivo ou diretório (ex: snippets/ ou modsec/)."""
src = os.path.join(TMP_SYNC_BASE, "nginx", relative_path)
dst = os.path.join(NGINX_CONF_DIR, relative_path)
if not os.path.exists(src):
print(f"[!] Item fonte não encontrado: {src}")
return False
log_syslog("SYNC_ITEM", "sync_item", f"Sincronizando {relative_path}")
# Backup recursivo se for diretório ou arquivo
backup_file(dst)
# Usa -rf para suportar diretórios (como modsec/)
if os.path.isdir(src):
run_sudo(['cp', '-rf', os.path.join(src, '.'), dst])
else:
run_sudo(['cp', '-f', src, dst])
ok, err = check_nginx()
if not ok:
print(f"[!] Falha na validação após sincronizar {relative_path}. Revertendo...")
rollback_all()
return False
run_sudo(['systemctl', 'reload', 'nginx'])
print(f"[+] {relative_path} sincronizado e validado.")
return True
def site_deploy(domain):
"""Deploy completo de um novo site."""
src_vhost = os.path.join(TMP_SYNC_BASE, "nginx", "conf.d", f"{domain}.conf")
dst_vhost = os.path.join(NGINX_CONF_DIR, "conf.d", f"{domain}.conf")
if not os.path.exists(src_vhost):
print(f"[!] Arquivo de VHost não encontrado em: {src_vhost}")
return False
log_syslog("SITE_DEPLOY", "site_deploy", f"Iniciando deploy de {domain}")
backup_file(dst_vhost)
run_sudo(['cp', '-f', src_vhost, dst_vhost])
ok, err = check_nginx()
if not ok:
print(f"[!] Erro na config do VHost: {err}")
rollback_all()
return False
run_sudo(['systemctl', 'reload', 'nginx'])
dns_ok, domain_ip = validate_dns(domain)
if not dns_ok:
print(f"[!] AVISO: DNS de {domain} ({domain_ip}) não aponta para este host ({get_public_ip()}).")
print("[!] SSL Certbot será pulado. Rode 'site --update' após corrigir o DNS.")
return True
setup_ssl(domain)
return True
def site_update(domain):
"""Atualiza o VHost e tenta renovar SSL se DNS ok."""
vhost_rel = f"conf.d/{domain}.conf"
if sync_item(vhost_rel):
dns_ok, _ = validate_dns(domain)
if dns_ok:
setup_ssl(domain)
return True
return False
def site_remove(domain):
"""Remove site, SSL e Logs."""
log_syslog("SITE_REMOVE", "site_remove", f"Removendo site {domain}")
# 1. Nginx Config
vhost = os.path.join(NGINX_CONF_DIR, "conf.d", f"{domain}.conf")
if os.path.exists(vhost):
backup_file(vhost)
run_sudo(['rm', '-f', vhost])
# 2. SSL Certbot
print(f"[*] Removendo certificados para {domain}...")
run_sudo(['certbot', 'delete', '--cert-name', domain])
# 3. Logs (Atuais e GZ)
print(f"[*] Limpando logs de {domain}...")
run_sudo(['bash', '-c', f"rm -f {LOG_DIR}/{domain}*"])
ok, _ = check_nginx()
if ok:
run_sudo(['systemctl', 'reload', 'nginx'])
print(f"[+] Site {domain} removido com sucesso.")
else:
rollback_all()
# ==============================================================================
# CLI HANDLER
# ==============================================================================
def main():
parser = argparse.ArgumentParser(description="Pathfinder Automator V2 - Nginx/SSL Orchestration")
subparsers = parser.add_subparsers(dest="command", help="Comando a executar")
sync_parser = subparsers.add_parser("sync", help="Sincronização de arquivos")
sync_parser.add_argument("--all", action="store_true", help="Sincronizar tudo")
sync_parser.add_argument("--file", type=str, help="Sincronizar arquivo específico")
site_parser = subparsers.add_parser("site", help="Gerenciamento de sites")
site_parser.add_argument("--deploy", type=str, help="Novo deploy de site (Domínio)")
site_parser.add_argument("--update", type=str, help="Atualizar site existente (Domínio)")
site_parser.add_argument("--remove", type=str, help="Remover site completamente (Domínio)")
args = parser.parse_args()
if args.command == "sync":
if args.all:
sync_all()
elif args.file:
sync_item(args.file)
elif args.command == "site":
if args.deploy: site_deploy(args.deploy)
elif args.update: site_update(args.update)
elif args.remove: site_remove(args.remove)
if __name__ == "__main__":
if os.getuid() == 0:
log("Erro: Não execute como root diretamente. O script usa sudo internamente.")
print("[!] Não execute diretamente como root. Use um usuário com sudo.")
sys.exit(1)
deploy()
main()