patterns/waf_patterns/apache/xss.conf

# Apache ModSecurity rules for XSS
SecRuleEngine On

SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@detectXSS" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<script[^>]*>[sS]*?" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<EMBED[s/+].*?(?:src|type).*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx <[?]?import[s/+S]*?implementation[s/+]*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i:<META[s/+].*?charset[s/+]*=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<LINK[s/+].*?href[s/+]*=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<BASE[s/+].*?href[s/+]*=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<APPLET[s/+>]" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx xbc[^xbe>]*[xbe>]|<[^xbe]*xbe" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx +ADw-.*(?:+AD4-|>)|<.*+AD4-" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx ![!+ ][]" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa|prompt|confirm)[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx ((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@detectXSS" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)[s" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:s(?:tyle|rc)|href)b[sS]*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@contains -->" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i:[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@rx {{.*?}}" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for XSS`
			`SecRuleEngine On`

			`SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@detectXSS" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)<script[^>]>[sS]?" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Update: [Sun Dec 22 00:28:28 UTC 2024] 2024-12-22 00:28:28 +00:00			`SecRule REQUEST_URI "@rx (?i).(?:b(?:x(?:link:href\|html\|mlns)\|data:text/html\|formaction\|patternb.*?=)\|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM\|PUBLIC)\|@import\|;base64)b" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`SecRule REQUEST_URI "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Update: [Sun Dec 22 00:28:28 UTC 2024] 2024-12-22 00:28:28 +00:00			`SecRule REQUEST_URI "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`SecRule REQUEST_URI "@rx (?i)(?:W\|^)(?:javascript:(?:[sS]+[=x5c([.<]\|[sS]?(?:bnameb\|x5c[ux]d))\|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]\|[sS]?;[sS]?b(?:base64\|charset=)\|[sS]?,[sS]?<[sS]?w[sS]?>))\|@W?iW?mW?pW?oW?rW?tW?(?:/[sS]?)?(?:[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i:<style.?>.?(?:@[ix5c]\|(?:[:=]\|&#x?0(?:58\|3A\|61\|3D);?).?(?:[(x5c]\|&#x?0*(?:40\|28\|92\|5C);?)))" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i:<.[:]?vmlframe.?[s/+]?src[s/+]=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Update: [Sun Dec 22 00:28:28 UTC 2024] 2024-12-22 00:28:28 +00:00			SecRule REQUEST_URI "@rx (?i)(?:j\|&#(?:0(?:74\|106)\|x0[46]A);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:a\|&#(?:0(?:65\|97)\|x0[46]1);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:v\|&#(?:0(?:86\|118)\|x0[57]6);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:a\|&#(?:0(?:65\|97)\|x0[46]1);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:s\|&#(?:0(?:115\|83)\|x0[57]3);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:c\|&#(?:x0[46]3\|0(?:99\|67));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:r\|&#(?:x0[57]2\|0(?:114\|82));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:i\|&#(?:x0[46]9\|0(?:105\|73));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:p\|&#(?:x0[57]0\|0(?:112\|80));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:t\|&#(?:x0[57]4\|0(?:116\|84));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?::\|&(?:#(?:058\|x03A);?\|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
			SecRule REQUEST_URI "@rx (?i)(?:v\|&#(?:0(?:118\|86)\|x0[57]6);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:b\|&#(?:0(?:98\|66)\|x0[46]2);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:s\|&#(?:0(?:115\|83)\|x0[57]3);)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:c\|&#(?:x0[46]3\|0(?:99\|67));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:r\|&#(?:x0[57]2\|0(?:114\|82));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:i\|&#(?:x0[46]9\|0(?:105\|73));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:p\|&#(?:x0[57]0\|0(?:112\|80));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?:t\|&#(?:x0[57]4\|0(?:116\|84));)(?:[t-nr]\|&(?:#(?:0(?:9\|1[03])\|x0[AD]);?\|(?:tab\|newline);))(?::\|&(?:#(?:058\|x03A);?\|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`SecRule REQUEST_URI "@rx (?i)<EMBED[s/+].?(?:src\|type).?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx <[?]?import[s/+S]?implementation[s/+]?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i:<META[s/+].?http-equiv[s/+]=[s/+]*[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i:<META[s/+].?charset[s/+]=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)<LINK[s/+].?href[s/+]=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)<BASE[s/+].?href[s/+]=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)<APPLET[s/+>]" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)<OBJECT[s/+].?(?:type\|codetype\|classid\|code\|data)[s/+]=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx xbc[^xbe>][xbe>]\|<[^xbe]xbe" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?:xbcs/s[^xbe>][xbe>])\|(?:<s/s[^xbe]xbe)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx +ADw-.(?:+AD4-\|>)\|<.+AD4-" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx ![!+ ][]" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?:self\|document\|this\|top\|window)s(?:/\|[[)]).+?(?:]\|*/)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Update: [Sun Dec 22 00:28:28 UTC 2024] 2024-12-22 00:28:28 +00:00			`SecRule REQUEST_URI "@rx (?i)b(?:eval\|set(?:timeout\|interval)\|new[sv]+Function\|a(?:lert\|tob)\|btoa\|prompt\|confirm)[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			SecRule REQUEST_URI "@rx ((?:[[^]]][^.].)\|Reflect[^.].).(?:map\|sort\|apply)[^.]..call[^`]`.`" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
			`SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@detectXSS" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)[s" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)b(?:s(?:tyle\|rc)\|href)b[sS]*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@contains -->" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			SecRule REQUEST_URI "@rx <(?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp)W" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
			`SecRule REQUEST_URI "@rx (?i:[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@rx {{.*?}}" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"`