joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NgixProxy_Pathfinder/nginx/modsec/owasp-crs/rules/RESPONSE-951-DATA-LEAKAGES-...

436 lines
17 KiB
Plaintext
Raw Permalink Blame History

# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Skip all rules if RESPONSE_BODY is compressed.
SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
"id:951010,\
phase:4,\
pass,\
nolog,\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ SQL Error Leakages ]=-
#
# Ref: https://github.com/sqlmapproject/sqlmap
# Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps
#
SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
"id:951100,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
skipAfter:END-SQL-ERROR-MATCH-PL1"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"id:951110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Microsoft Access SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-msaccess',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951120.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951120
#
SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLException|Oracle(?: erro|[^\(\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})" \
"id:951120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Oracle SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-oracle',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"id:951130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'DB2 SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-db2',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"id:951140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'EMC SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-emc',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"id:951150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'firebird SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-firebird',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"id:951160,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Frontbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-frontbase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"id:951170,\
phase:4,\
block,\
capture,\
t:none,\
msg:'hsqldb SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-hsqldb',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"id:951180,\
phase:4,\
block,\
capture,\
t:none,\
msg:'informix SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-informix',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"id:951190,\
phase:4,\
block,\
capture,\
t:none,\
msg:'ingres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-ingres',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"id:951200,\
phase:4,\
block,\
capture,\
t:none,\
msg:'interbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-interbase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Warning.{1,10}maxdb[\(\)_a-z:]{1,26}:" \
"id:951210,\
phase:4,\
block,\
capture,\
t:none,\
msg:'maxDB SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-maxdb',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function '.{1,128}' expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
"id:951220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mssql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mssql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951230.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951230
#
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \
"id:951230,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mysql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mysql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951240.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951240
#
SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\(\) \[|org\.postgresql\.util\.PSQLException):|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \
"id:951240,\
phase:4,\
block,\
capture,\
t:none,\
msg:'postgres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-pgsql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"id:951250,\
phase:4,\
block,\
capture,\
t:none,\
msg:'sqlite SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sqlite',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message)" \
"id:951260,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Sybase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sybase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.24.0-dev',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecMarker "END-SQL-ERROR-MATCH-PL1"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"
Reference in New Issue View Git Blame Copy Permalink