patterns/waf_patterns/apache/xss.conf

# Apache ModSecurity rules for XSS
SecRuleEngine On

SecRule REQUEST_URI "\(\?i\)<APPLET\[s/\+>\]" "id:1144,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "<\(\?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp\)W" "id:1153,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<EMBED\[s/\+\]\.\*\?\(\?:src\|type\)\.\*\?=" "id:1138,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@detectXSS" "id:1149,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:\["'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\*\?\(\?:\(\?:l\|x5cu006C\)\(\?:o\|x5cu006F\)\(\?:c\|x5cu0063\)\(\?:a\|x5cu0061\)\(\?:t\|x5cu0074\)\(\?:i\|x5cu0069\)\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\|\(\?:n\|x5cu006E\)\(\?:a\|x5cu0061\)\(\?:m\|x5cu006D\)\(\?:e\|x5cu0065\)\|\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\(\?:e\|x5cu0065\)\(\?:r\|x5cu0072\)\(\?:r\|x5cu0072\)\(\?:o\|x5cu006F\)\(\?:r\|x5cu0072\)\|\(\?:v\|x5cu0076\)\(\?:a\|x5cu0061\)\(\?:l\|x5cu006C\)\(\?:u\|x5cu0075\)\(\?:e\|x5cu0065\)\(\?:O\|x5cu004F\)\(\?:f\|x5cu0066\)\)\.\*\?=\)" "id:1154,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)b\(\?:s\(\?:tyle\|rc\)\|href\)b\[sS\]\*\?=" "id:1151,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<LINK\[s/\+\]\.\*\?href\[s/\+\]\*=" "id:1142,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "xbc\[\^xbe>\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" "id:1146,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?:xbcs\*/s\*\[\^xbe>\]\*\[xbe>\]\)\|\(\?:<s\*/s\*\[\^xbe\]\*xbe\)" "id:1147,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<style\.\*\?>\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" "id:1136,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<\.\*\[:\]\?vmlframe\.\*\?\[s/\+\]\*\?src\[s/\+\]\*=\)" "id:1137,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@contains\ \-\->" "id:1152,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)\[s"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" "id:1150,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\[\^\]\]\*\]\[\^\.\]\*\.\)\|Reflect\[\^\.\]\*\.\)\.\*\(\?:map\|sort\|apply\)\[\^\.\]\*\.\.\*call\[\^`\]\*`\.\*`" "id:1148,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "<\[\?\]\?import\[s/\+S\]\*\?implementation\[s/\+\]\*\?=" "id:1139,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\{\{\.\*\?\}\}" "id:1156,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<META\[s/\+\]\.\*\?charset\[s/\+\]\*=\)" "id:1141,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@detectXSS" "id:1132,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<\[\^0\-9<>A\-Z_a\-z\]\*\(\?:\[\^sv"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\["'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark
SecRule REQUEST_URI "\(\?i\)<script\[\^>\]\*>\[sS\]\*\?" "id:1133,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<META\[s/\+\]\.\*\?http\-equiv\[s/\+\]\*=\[s/\+\]\*\["'`\]\?\(\?:\(\?:c\|\&\#x\?0\*\(\?:67\|43\|99\|63\);\?\)\|\(\?:r\|\&\#x\?0\*\(\?:82\|52\|114\|72\);\?\)\|\(\?:s\|\&\#x\?0\*\(\?:83\|53\|115\|73\);\?\)\)\)" "id:1140,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)\.\(\?:b\(\?:x\(\?:link:href\|html\|mlns\)\|data:text/html\|formaction\|patternb\.\*\?=\)\|!ENTITY\[sv\]\+\(\?:%\[sv\]\+\)\?\[\^sv\]\+\[sv\]\+\(\?:SYSTEM\|PUBLIC\)\|@import\|;base64\)b" "id:1134,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\+\?\[\.\]\.\+\?=" "id:1155,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<BASE\[s/\+\]\.\*\?href\[s/\+\]\*=" "id:1143,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "!@validateByteRange\ 20,\ 45\-47,\ 48\-57,\ 65\-90,\ 95,\ 97\-122" "id:1131,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<OBJECT\[s/\+\]\.\*\?\(\?:type\|codetype\|classid\|code\|data\)\[s/\+\]\*=" "id:1145,phase:1,deny,status:403,log,msg:'xss attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for XSS`
			`SecRuleEngine On`

Update: [Sat Feb 8 00:25:04 UTC 2025] 2025-02-08 00:25:04 +00:00			`SecRule REQUEST_URI "\(\?i\)<APPLET\[s/\+>\]" "id:1144,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			SecRule REQUEST_URI "<\(\?:a\\|abbr\\|acronym\\|address\\|applet\\|area\\|audioscope\\|b\\|base\\|basefront\\|bdo\\|bgsound\\|big\\|blackface\\|blink\\|blockquote\\|body\\|bq\\|br\\|button\\|caption\\|center\\|cite\\|code\\|col\\|colgroup\\|comment\\|dd\\|del\\|dfn\\|dir\\|div\\|dl\\|dt\\|em\\|embed\\|fieldset\\|fn\\|font\\|form\\|frame\\|frameset\\|h1\\|head\\|hr\\|html\\|i\\|iframe\\|ilayer\\|img\\|input\\|ins\\|isindex\\|kdb\\|keygen\\|label\\|layer\\|legend\\|li\\|limittext\\|link\\|listing\\|map\\|marquee\\|menu\\|meta\\|multicol\\|nobr\\|noembed\\|noframes\\|noscript\\|nosmartquotes\\|object\\|ol\\|optgroup\\|option\\|p\\|param\\|plaintext\\|pre\\|q\\|rt\\|ruby\\|s\\|samp\\|script\\|select\\|server\\|shadow\\|sidebar\\|small\\|spacer\\|span\\|strike\\|strong\\|style\\|sub\\|sup\\|table\\|tbody\\|td\\|textarea\\|tfoot\\|th\\|thead\\|title\\|tr\\|tt\\|u\\|ul\\|var\\|wbr\\|xml\\|xmp\)W" "id:1153,phase:1,deny,status:403,log,msg:'xss attack detected'"
			`SecRule REQUEST_URI "\(\?i\)<EMBED\[s/\+\]\.\\?\(\?:src\\|type\)\.\\?=" "id:1138,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@detectXSS" "id:1149,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			SecRule REQUEST_URI "\(\?i:\["'\]\[\ \]\\(\?:\[\^a\-z0\-9\~_:'\ \]\\|in\)\.\\?\(\?:\(\?:l\\|x5cu006C\)\(\?:o\\|x5cu006F\)\(\?:c\\|x5cu0063\)\(\?:a\\|x5cu0061\)\(\?:t\\|x5cu0074\)\(\?:i\\|x5cu0069\)\(\?:o\\|x5cu006F\)\(\?:n\\|x5cu006E\)\\|\(\?:n\\|x5cu006E\)\(\?:a\\|x5cu0061\)\(\?:m\\|x5cu006D\)\(\?:e\\|x5cu0065\)\\|\(\?:o\\|x5cu006F\)\(\?:n\\|x5cu006E\)\(\?:e\\|x5cu0065\)\(\?:r\\|x5cu0072\)\(\?:r\\|x5cu0072\)\(\?:o\\|x5cu006F\)\(\?:r\\|x5cu0072\)\\|\(\?:v\\|x5cu0076\)\(\?:a\\|x5cu0061\)\(\?:l\\|x5cu006C\)\(\?:u\\|x5cu0075\)\(\?:e\\|x5cu0065\)\(\?:O\\|x5cu004F\)\(\?:f\\|x5cu0066\)\)\.\*\?=\)" "id:1154,phase:1,deny,status:403,log,msg:'xss attack detected'"
			`SecRule REQUEST_URI "\(\?i\)b\(\?:s\(\?:tyle\\|rc\)\\|href\)b\[sS\]\*\?=" "id:1151,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i\)<LINK\[s/\+\]\.\\?href\[s/\+\]\=" "id:1142,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "xbc\[\^xbe>\]\\[xbe>\]\\|<\[\^xbe\]\xbe" "id:1146,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?:xbcs\/s\\[\^xbe>\]\\[xbe>\]\)\\|\(\?:<s\/s\\[\^xbe\]\xbe\)" "id:1147,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i:<style\.\\?>\.\\?\(\?:@\[ix5c\]\\|\(\?:\[:=\]\\|\&\#x\?0\\(\?:58\\|3A\\|61\\|3D\);\?\)\.\\?\(\?:\[\(x5c\]\\|\&\#x\?0\*\(\?:40\\|28\\|92\\|5C\);\?\)\)\)" "id:1136,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i:<\.\\[:\]\?vmlframe\.\\?\[s/\+\]\\?src\[s/\+\]\=\)" "id:1137,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@contains\ \-\->" "id:1152,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			SecRule REQUEST_URI "\(\?i\)\[s"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" "id:1150,phase:1,deny,status:403,log,msg:'xss attack detected'"
			SecRule REQUEST_URI "\(\(\?:\[\[\^\]\]\\]\[\^\.\]\\.\)\\|Reflect\[\^\.\]\\.\)\.\\(\?:map\\|sort\\|apply\)\[\^\.\]\\.\.\call\[\^`\]\`\.\`" "id:1148,phase:1,deny,status:403,log,msg:'xss attack detected'"
			`SecRule REQUEST_URI "<\[\?\]\?import\[s/\+S\]\\?implementation\[s/\+\]\\?=" "id:1139,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\{\{\.\*\?\}\}" "id:1156,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i:<META\[s/\+\]\.\\?charset\[s/\+\]\=\)" "id:1141,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "@detectXSS" "id:1132,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			SecRule REQUEST_URI "\(\?i\)<\[\^0\-9<>A\-Z_a\-z\]\\(\?:\[\^sv"'<>\]\:\)\?\[\^0\-9<>A\-Z_a\-z\]\\[\^0\-9A\-Z_a\-z\]\\?\(\?:s\[\^0\-9A\-Z_a\-z\]\\?\(\?:c\[\^0\-9A\-Z_a\-z\]\\?r\[\^0\-9A\-Z_a\-z\]\\?i\[\^0\-9A\-Z_a\-z\]\\?p\[\^0\-9A\-Z_a\-z\]\\?t\\|t\[\^0\-9A\-Z_a\-z\]\\?y\[\^0\-9A\-Z_a\-z\]\\?l\[\^0\-9A\-Z_a\-z\]\\?e\\|v\[\^0\-9A\-Z_a\-z\]\\?g\\|e\[\^0\-9A\-Z_a\-z\]\\?t\[\^0\-9>A\-Z_a\-z\]\)\\|f\[\^0\-9A\-Z_a\-z\]\\?o\[\^0\-9A\-Z_a\-z\]\\?r\[\^0\-9A\-Z_a\-z\]\\?m\\|m\[\^0\-9A\-Z_a\-z\]\\?\(\?:a\[\^0\-9A\-Z_a\-z\]\\?r\[\^0\-9A\-Z_a\-z\]\\?q\[\^0\-9A\-Z_a\-z\]\\?u\[\^0\-9A\-Z_a\-z\]\\?e\[\^0\-9A\-Z_a\-z\]\\?e\\|e\[\^0\-9A\-Z_a\-z\]\\?t\[\^0\-9A\-Z_a\-z\]\\?a\[\^0\-9>A\-Z_a\-z\]\)\\|\(\?:l\[\^0\-9A\-Z_a\-z\]\\?i\[\^0\-9A\-Z_a\-z\]\\?n\[\^0\-9A\-Z_a\-z\]\\?k\\|o\[\^0\-9A\-Z_a\-z\]\\?b\[\^0\-9A\-Z_a\-z\]\\?j\[\^0\-9A\-Z_a\-z\]\\?e\[\^0\-9A\-Z_a\-z\]\\?c\[\^0\-9A\-Z_a\-z\]\\?t\\|e\[\^0\-9A\-Z_a\-z\]\\?m\[\^0\-9A\-Z_a\-z\]\\?b\[\^0\-9A\-Z_a\-z\]\\?e\[\^0\-9A\-Z_a\-z\]\\?d\\|a\[\^0\-9A\-Z_a\-z\]\\?\(\?:p\[\^0\-9A\-Z_a\-z\]\\?p\[\^0\-9A\-Z_a\-z\]\\?l\[\^0\-9A\-Z_a\-z\]\\?e\[\^0\-9A\-Z_a\-z\]\\?t\\|u\[\^0\-9A\-Z_a\-z\]\\?d\[\^0\-9A\-Z_a\-z\]\\?i\[\^0\-9A\-Z_a\-z\]\\?o\\|n\[\^0\-9A\-Z_a\-z\]\\?i\[\^0\-9A\-Z_a\-z\]\\?m\[\^0\-9A\-Z_a\-z\]\\?a\[\^0\-9A\-Z_a\-z\]\\?t\[\^0\-9A\-Z_a\-z\]\\?e\)\\|p\[\^0\-9A\-Z_a\-z\]\\?a\[\^0\-9A\-Z_a\-z\]\\?r\[\^0\-9A\-Z_a\-z\]\\?a\[\^0\-9A\-Z_a\-z\]\\?m\\|i\?\[\^0\-9A\-Z_a\-z\]\\?f\[\^0\-9A\-Z_a\-z\]\\?r\[\^0\-9A\-Z_a\-z\]\\?a\[\^0\-9A\-Z_a\-z\]\\?m\[\^0\-9A\-Z_a\-z\]\\?e\\|b\[\^0\-9A\-Z_a\-z\]\\?\(\?:a\[\^0\-9A\-Z_a\-z\]\\?s\[\^0\-9A\-Z_a\-z\]\\?e\\|o\[\^0\-9A\-Z_a\-z\]\\?d\[\^0\-9A\-Z_a\-z\]\\?y\\|i\[\^0\-9A\-Z_a\-z\]\\?n\[\^0\-9A\-Z_a\-z\]\\?d\[\^0\-9A\-Z_a\-z\]\\?i\[\^0\-9A\-Z_a\-z\]\\?n\[\^0\-9A\-Z_a\-z\]\\?g\[\^0\-9A\-Z_a\-z\]\\?s\)\\|i\[\^0\-9A\-Z_a\-z\]\\?m\[\^0\-9A\-Z_a\-z\]\\?a\?\[\^0\-9A\-Z_a\-z\]\\?g\[\^0\-9A\-Z_a\-z\]\\?e\?\\|v\[\^0\-9A\-Z_a\-z\]\\?i\[\^0\-9A\-Z_a\-z\]\\?d\[\^0\-9A\-Z_a\-z\]\\?e\[\^0\-9A\-Z_a\-z\]\\?o\)\[\^0\-9>A\-Z_a\-z\]\)\\|\(\?:<\[0\-9A\-Z_a\-z\]\.\\[sv/\]\\|\["'\]\(\?:\.\\[sv/\]\)\?\)\(\?:background\\|formaction\\|lowsrc\\|on\(\?:a\(\?:bort\\|ctivate\\|d\(\?:apteradded\\|dtrack\)\\|fter\(\?:print\\|\(\?:scriptexecu\\|upda\)te\)\\|lerting\\|n\(\?:imation\(\?:cancel\\|end\\|iteration\\|start\)\\|tennastatechange\)\\|ppcommand\\|u\(\?:dio\(\?:end\\|process\\|start\)\\|xclick\)\)\\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\\|scriptexecu\)t\\|toggl\)e\\|c\(\?:opy\\|ut\)\\|editfocus\\|input\\|p\(\?:aste\\|rint\)\\|u\(\?:nload\\|pdate\)\)\\|gin\(\?:Event\)\?\)\\|l\(\?:ocked\\|ur\)\\|oun\(\?:ce\\|dary\)\\|roadcast\\|usy\)\\|c\(\?:a\(\?:\(\?:ch\\|llschang\)ed\\|nplay\(\?:through\)\?\\|rdstatechange\)\\|\(\?:ell\\|fstate\)change\\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\\|ecking\)\\|l\(\?:ick\\|ose\)\\|o\(\?:m\(\?:mand\(\?:update\)\?\\|p\(\?:lete\\|osition\(\?:end\\|start\\|update\)\)\)\\|n\(\?:nect\(\?:ed\\|ing\)\\|t\(\?:extmenu\\|rolselect\)\)\\|py\)\\|u\(\?:echange\\|t\)\)\\|d\(\?:ata\(\?:\(\?:availabl\\|chang\)e\\|error\\|setc\(\?:hanged\\|omplete\)\)\\|blclick\\|e\(\?:activate\\|livery\(\?:error\\|success\)\\|vice\(\?:found\\|light\\|\(\?:mo\\|orienta\)tion\\|proximity\)\)\\|i\(\?:aling\\|s\(\?:abled\\|c\(\?:hargingtimechange\\|onnect\(\?:ed\\|ing\)\)\)\)\\|o\(\?:m\(\?:a\(\?:ctivate\\|ttrmodified\)\\|\(\?:characterdata\\|subtree\)modified\\|focus\(\?:in\\|out\)\\|mousescroll\\|node\(\?:inserted\(\?:intodocument\)\?\\|removed\(\?:fromdocument\)\?\)\)\\|wnloading\)\\|r\(\?:ag\(\?:drop\\|e\(\?:n\(\?:d\\|ter\)\\|xit\)\\|\(\?:gestur\\|leav\)e\\|over\\|start\)\\|op\)\\|urationchange\)\\|e\(\?:mptied\\|n\(\?:abled\\|d\(\?:ed\\|Event\)\?\\|ter\)\\|rror\(\?:update\)\?\\|xit\)\\|f\(\?:ailed\\|i\(\?:lterchange\\|nish\)\\|o\(\?:cus\(\?:in\\|out\)\?\\|rm\(\?:change\\|input\)\)\\|ullscreenchange\)\\|g\(\?:amepad\(\?:axismove\\|button\(\?:down\\|up\)\\|\(\?:dis\)\?connected\)\\|et\)\\|h\(\?:ashchange\\|e\(\?:adphoneschange\\|l\[dp\]\)\\|olding\)\\|i\(\?:cc\(\?:cardlockerror\\|infochange\)\\|n\(\?:coming\\|put\\|valid\)\)\\|key\(\?:down\\|press\\|up\)\\|l\(\?:evelchange\\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\\|nd\)\\|start\)\?\\|secapture\)\\|y\)\\|m\(\?:ark
			`SecRule REQUEST_URI "\(\?i\)<script\[\^>\]\>\[sS\]\\?" "id:1133,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			SecRule REQUEST_URI "\(\?i:<META\[s/\+\]\.\\?http\-equiv\[s/\+\]\=\[s/\+\]\\["'`\]\?\(\?:\(\?:c\\|\&\#x\?0\\(\?:67\\|43\\|99\\|63\);\?\)\\|\(\?:r\\|\&\#x\?0\\(\?:82\\|52\\|114\\|72\);\?\)\\|\(\?:s\\|\&\#x\?0\\(\?:83\\|53\\|115\\|73\);\?\)\)\)" "id:1140,phase:1,deny,status:403,log,msg:'xss attack detected'"
			`SecRule REQUEST_URI "\(\?i\)\.\(\?:b\(\?:x\(\?:link:href\\|html\\|mlns\)\\|data:text/html\\|formaction\\|patternb\.\*\?=\)\\|!ENTITY\[sv\]\+\(\?:%\[sv\]\+\)\?\[\^sv\]\+\[sv\]\+\(\?:SYSTEM\\|PUBLIC\)\\|@import\\|;base64\)b" "id:1134,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i\)\["'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\\|in\)\.\+\?\[\.\]\.\+\?=" "id:1155,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i\)<BASE\[s/\+\]\.\\?href\[s/\+\]\=" "id:1143,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "!@validateByteRange\ 20,\ 45\-47,\ 48\-57,\ 65\-90,\ 95,\ 97\-122" "id:1131,phase:1,deny,status:403,log,msg:'xss attack detected'"`
			`SecRule REQUEST_URI "\(\?i\)<OBJECT\[s/\+\]\.\\?\(\?:type\\|codetype\\|classid\\|code\\|data\)\[s/\+\]\=" "id:1145,phase:1,deny,status:403,log,msg:'xss attack detected'"`