External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 09:45:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

nginx generation improved

Browse Source
This commit is contained in:
fabriziosalmi 2025-01-16 13:49:54 +01:00
parent de35fec973
commit 1da19ed802
22 changed files with 515 additions and 1105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
owasp2nginx.py → json2nginx.py
View File

@ -5,19 +5,23 @@ import logging
from pathlib import Path from pathlib import Path
from collections import defaultdict from collections import defaultdict
# Configure logging
logging.basicConfig( logging.basicConfig(
level=logging.INFO, level=logging.INFO,
format="%(asctime)s - %(levelname)s - %(message)s", format="%(asctime)s - %(levelname)s - %(message)s",
handlers=[logging.StreamHandler()], handlers=[logging.StreamHandler()],
) )
# Input and output paths
INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json")) INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json"))
OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/nginx")) OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/nginx"))
# Create output directory if it doesn't exist
OUTPUT_DIR.mkdir(parents=True, exist_ok=True) OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
def load_owasp_rules(file_path): def load_owasp_rules(file_path):
"""Load OWASP rules from a JSON file."""
try: try:
with open(file_path, "r") as f: with open(file_path, "r") as f:
return json.load(f) return json.load(f)
@ -30,6 +34,7 @@ def load_owasp_rules(file_path):
def validate_regex(pattern): def validate_regex(pattern):
"""Validate if a pattern is a valid regex."""
try: try:
re.compile(pattern) re.compile(pattern)
return True return True
@ -38,7 +43,11 @@ def validate_regex(pattern):
def sanitize_pattern(pattern): def sanitize_pattern(pattern):
if "@pmFromFile" in pattern or "!@eq" in pattern or "!@within" in pattern or "@lt" in pattern: """Sanitize and validate OWASP patterns for Nginx compatibility."""
if any(
keyword in pattern
for keyword in ["@pmFromFile", "!@eq", "!@within", "@lt"]
):
logging.warning(f"Skipping unsupported pattern: {pattern}") logging.warning(f"Skipping unsupported pattern: {pattern}")
return None return None
@ -50,6 +59,7 @@ def sanitize_pattern(pattern):
def generate_nginx_waf(rules): def generate_nginx_waf(rules):
"""Generate Nginx WAF configuration snippets from OWASP rules."""
categorized_rules = defaultdict(set) categorized_rules = defaultdict(set)
# Group rules by category # Group rules by category
@ -69,13 +79,23 @@ def generate_nginx_waf(rules):
try: try:
with open(output_file, "w") as f: with open(output_file, "w") as f:
f.write(f"# Nginx WAF rules for {category.upper()}\n") f.write(f"# Nginx WAF rules for {category.upper()}\n")
f.write("# Automatically generated from OWASP rules.\n")
f.write("# Include this file in your server or location block.\n\n") f.write("# Include this file in your server or location block.\n\n")
# Use a map to avoid redundant patterns
f.write("map $request_uri $waf_block_{category} {{\n".format(category=category))
f.write(" default 0;\n")
for pattern in patterns: for pattern in patterns:
escaped_pattern = pattern.replace('"', '\\"') escaped_pattern = pattern.replace('"', '\\"')
f.write(f'if ($request_uri ~* "{escaped_pattern}") {{\n') f.write(f' "~*{escaped_pattern}" 1;\n')
f.write(" return 403;\n") f.write("}\n\n")
f.write("}\n\n")
# Apply the WAF rule
f.write("if ($waf_block_{category}) {{\n".format(category=category))
f.write(" return 403;\n")
f.write(" # Log the blocked request (optional)\n")
f.write(" # access_log /var/log/nginx/waf_blocked.log;\n")
f.write("}\n\n")
logging.info(f"Generated {output_file} ({len(patterns)} patterns)") logging.info(f"Generated {output_file} ({len(patterns)} patterns)")
except IOError as e: except IOError as e:
@ -99,9 +119,14 @@ def generate_nginx_waf(rules):
f.write(" ```bash\n") f.write(" ```bash\n")
f.write(" sudo nginx -t && sudo systemctl reload nginx\n") f.write(" sudo nginx -t && sudo systemctl reload nginx\n")
f.write(" ```\n") f.write(" ```\n")
f.write("\n## Notes\n")
f.write("- The rules use `map` directives for efficient pattern matching.\n")
f.write("- Blocked requests return a `403 Forbidden` response by default.\n")
f.write("- You can enable logging for blocked requests by uncommenting the `access_log` line.\n")
def main(): def main():
"""Main function to load rules and generate Nginx configurations."""
try: try:
logging.info("Loading OWASP rules...") logging.info("Loading OWASP rules...")
owasp_rules = load_owasp_rules(INPUT_FILE) owasp_rules = load_owasp_rules(INPUT_FILE)
@ -116,4 +141,4 @@ def main():
if __name__ == "__main__": if __name__ == "__main__":
main() main()

0
owasp.py → owasp2json.py
View File

21
waf_patterns/nginx/README.md
View File

@ -1 +1,22 @@
# Nginx WAF Rule Snippets
This directory contains Nginx WAF rule snippets generated from OWASP rules.
You can include these snippets in your existing Nginx configuration to enhance security.
## Usage
1. Include the rule snippets in your `server` or `location` block:
```nginx
server {
# Your existing configuration
include /path/to/waf_patterns/nginx/*.conf;
}
```
2. Reload Nginx to apply the changes:
```bash
sudo nginx -t && sudo systemctl reload nginx
```
## Notes
- The rules use `map` directives for efficient pattern matching.
- Blocked requests return a `403 Forbidden` response by default.
- You can enable logging for blocked requests by uncommenting the `access_log` line.

85
waf_patterns/nginx/attack.conf
View File

@ -1,64 +1,27 @@
# Nginx WAF rules for ATTACK # Nginx WAF rules for ATTACK
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") { map $request_uri $waf_block_attack {
set $attack_detected 1; default 0;
} "~*^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" 1;
"~*[nr]" 1;
if ($request_uri ~* "TX:paramcounter_(.*)") { "~*^content-types*:s*(.*)$" 1;
set $attack_detected 1; "~*content-transfer-encoding:(.*)" 1;
} "~*(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" 1;
"~*@gt 1" 1;
if ($request_uri ~* "content-transfer-encoding:(.*)") { "~*TX:paramcounter_(.*)" 1;
set $attack_detected 1; "~*@gt 0" 1;
} "~*[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" 1;
"~*[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" 1;
if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") { "~*unix:[^|]*|" 1;
set $attack_detected 1; "~*." 1;
} "~*(?:bhttp/d|<(?:html|meta)b)" 1;
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "^content-types*:s*(.*)$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
set $attack_detected 1;
}
if ($request_uri ~* "[nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "unix:[^|]*|") {
set $attack_detected 1;
}
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* ".") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_attack) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

41
waf_patterns/nginx/correlation.conf
View File

@ -1,28 +1,19 @@
# Nginx WAF rules for CORRELATION # Nginx WAF rules for CORRELATION
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "@ge 5") { map $request_uri $waf_block_correlation {
set $attack_detected 1; default 0;
} "~*@ge %{tx.outbound_anomaly_score_threshold}" 1;
"~*@ge %{tx.inbound_anomaly_score_threshold}" 1;
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") { "~*@ge 5" 1;
set $attack_detected 1; "~*@gt 0" 1;
} "~*@eq 0" 1;
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_correlation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

295
waf_patterns/nginx/enforcement.conf
View File

@ -1,228 +1,73 @@
# Nginx WAF rules for ENFORCEMENT # Nginx WAF rules for ENFORCEMENT
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(d+)-(d+)") { map $request_uri $waf_block_enforcement {
set $attack_detected 1; default 0;
} "~*!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$" 1;
"~*!@rx ^(?:OPTIONS|CONNECT)$" 1;
if ($request_uri ~* "^[^;s]+") { "~*@eq 1" 1;
set $attack_detected 1; "~*.([^.]+)$" 1;
} "~*@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" 1;
"~*@gt %{tx.total_arg_length}" 1;
if ($request_uri ~* "@contains #") { "~*!@streq JSON" 1;
set $attack_detected 1; "~*^(?:GET|HEAD)$" 1;
} "~*@validateUtf8Encoding" 1;
"~*.[^.~]+~(?:/.*|)$" 1;
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") { "~*@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" 1;
set $attack_detected 1; "~*%u[fF]{2}[0-9a-fA-F]{2}" 1;
} "~*!@pm AppleWebKit Android Business Enterprise Entreprise" 1;
"~*@gt %{tx.max_num_args}" 1;
if ($request_uri ~* "@eq 1") { "~*!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" 1;
set $attack_detected 1; "~*^(?i)up" 1;
} "~*!@pm AppleWebKit Android" 1;
"~*@streq POST" 1;
if ($request_uri ~* "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122") { "~*^.*$" 1;
set $attack_detected 1; "~*!@rx ^d+$" 1;
} "~*@validateUrlEncoding" 1;
"~*@gt %{tx.arg_length}" 1;
if ($request_uri ~* "@validateUtf8Encoding") { "~*@gt %{tx.combined_file_sizes}" 1;
set $attack_detected 1; "~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" 1;
} "~*@ge 1" 1;
"~*@gt %{tx.arg_name_length}" 1;
if ($request_uri ~* "@streq POST") { "~*!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" 1;
set $attack_detected 1; "~*@gt 0" 1;
} "~*b(?:keep-alive|close),s?(?:keep-alive|close)b" 1;
"~*@validateByteRange 32-36,38-126" 1;
if ($request_uri ~* "^$") { "~*!@endsWith .pdf" 1;
set $attack_detected 1; "~*x25" 1;
} "~*['\";=]" 1;
"~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" 1;
if ($request_uri ~* "@gt %{tx.max_file_size}") { "~*@gt 50" 1;
set $attack_detected 1; "~*%[0-9a-fA-F]{2}" 1;
} "~*charset.*?charset" 1;
"~*!@rx ^0?$" 1;
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") { "~*!@rx ^OPTIONS$" 1;
set $attack_detected 1; "~*^(?i)multipart/form-data" 1;
} "~*(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" 1;
"~*(?i)x5cu[0-9a-f]{4}" 1;
if ($request_uri ~* "%[0-9a-fA-F]{2}") { "~*charsets*=s*[\"']?([^;\"'s]+)" 1;
set $attack_detected 1; "~*@within %{tx.restricted_headers_extended}" 1;
} "~*(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" 1;
"~*@gt %{tx.max_file_size}" 1;
if ($request_uri ~* ".[^.~]+~(?:/.*|)$") { "~*@endsWith .pdf" 1;
set $attack_detected 1; "~*@within %{tx.restricted_extensions}" 1;
} "~*^$" 1;
"~*(d+)-(d+)" 1;
if ($request_uri ~* "x25") { "~*@gt 1" 1;
set $attack_detected 1; "~*@validateByteRange 1-255" 1;
} "~*@validateByteRange 9,10,13,32-126,128-255" 1;
"~*@within %{tx.restricted_headers_basic}" 1;
if ($request_uri ~* "!@rx ^0?$") { "~*^[^;s]+" 1;
set $attack_detected 1; "~*@eq 0" 1;
} "~*@contains #" 1;
"~*!@rx ^0$" 1;
if ($request_uri ~* "^(?:GET|HEAD)$") { "~*^(?i)application/x-www-form-urlencoded" 1;
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32-36,38-126") {
set $attack_detected 1;
}
if ($request_uri ~* "%u[fF]{2}[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 1-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "charsets*=s*[\"']?([^;\"'s]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq JSON") {
set $attack_detected 1;
}
if ($request_uri ~* "charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 50") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "['\";=]") {
set $attack_detected 1;
}
if ($request_uri ~* ".([^.]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_num_args}") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_enforcement) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

51
waf_patterns/nginx/evaluation.conf
View File

@ -1,36 +1,21 @@
# Nginx WAF rules for EVALUATION # Nginx WAF rules for EVALUATION
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "@ge 3") { map $request_uri $waf_block_evaluation {
set $attack_detected 1; default 0;
} "~*@ge 3" 1;
"~*@ge 4" 1;
if ($request_uri ~* "@ge 4") { "~*@eq 1" 1;
set $attack_detected 1; "~*@ge %{tx.outbound_anomaly_score_threshold}" 1;
} "~*@ge %{tx.inbound_anomaly_score_threshold}" 1;
"~*@ge 1" 1;
if ($request_uri ~* "@eq 1") { "~*@ge 2" 1;
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_evaluation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

36
waf_patterns/nginx/exceptions.conf
View File

@ -1,24 +1,18 @@
# Nginx WAF rules for EXCEPTIONS # Nginx WAF rules for EXCEPTIONS
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "@streq GET /") { map $request_uri $waf_block_exceptions {
set $attack_detected 1; default 0;
} "~*^(?:GET /|OPTIONS *) HTTP/[12].[01]$" 1;
"~*@ipMatch 127.0.0.1,::1" 1;
if ($request_uri ~* "@endsWith (internal dummy connection)") { "~*@streq GET /" 1;
set $attack_detected 1; "~*@endsWith (internal dummy connection)" 1;
}
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:GET /|OPTIONS *) HTTP/[12].[01]$") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_exceptions) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

41
waf_patterns/nginx/fixation.conf
View File

@ -1,28 +1,19 @@
# Nginx WAF rules for FIXATION # Nginx WAF rules for FIXATION
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "!@endsWith %{request_headers.host}") { map $request_uri $waf_block_fixation {
set $attack_detected 1; default 0;
} "~*^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" 1;
"~*(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" 1;
if ($request_uri ~* "@eq 0") { "~*@eq 0" 1;
set $attack_detected 1; "~*!@endsWith %{request_headers.host}" 1;
} "~*^(?:ht|f)tps?://(.*?)/" 1;
if ($request_uri ~* "^(?:ht|f)tps?://(.*?)/") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_fixation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

31
waf_patterns/nginx/generic.conf
View File

@ -1,20 +1,17 @@
# Nginx WAF rules for GENERIC # Nginx WAF rules for GENERIC
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "[s*constructors*]") { map $request_uri $waf_block_generic {
set $attack_detected 1; default 0;
} "~*while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)" 1;
"~*[s*constructors*]" 1;
if ($request_uri ~* "@{.*}") { "~*@{.*}" 1;
set $attack_detected 1;
}
if ($request_uri ~* "while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_generic) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

36
waf_patterns/nginx/iis.conf
View File

@ -1,24 +1,18 @@
# Nginx WAF rules for IIS # Nginx WAF rules for IIS
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)") { map $request_uri $waf_block_iis {
set $attack_detected 1; default 0;
} "~*(?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)" 1;
"~*!@rx ^404$" 1;
if ($request_uri ~* "bServer Error in.{0,50}?bApplicationb") { "~*bServer Error in.{0,50}?bApplicationb" 1;
set $attack_detected 1; "~*[a-z]:x5cinetpubb" 1;
}
if ($request_uri ~* "!@rx ^404$") {
set $attack_detected 1;
}
if ($request_uri ~* "[a-z]:x5cinetpubb") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_iis) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

46
waf_patterns/nginx/initialization.conf
View File

@ -1,32 +1,20 @@
# Nginx WAF rules for INITIALIZATION # Nginx WAF rules for INITIALIZATION
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "@eq 1") { map $request_uri $waf_block_initialization {
set $attack_detected 1; default 0;
} "~*@eq 100" 1;
"~*@eq 1" 1;
if ($request_uri ~* "@eq 100") { "~*^[a-f]*([0-9])[a-f]*([0-9])" 1;
set $attack_detected 1; "~*^.*$" 1;
} "~*@eq 0" 1;
"~*!@rx (?:URLENCODED|MULTIPART|XML|JSON)" 1;
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?:URLENCODED|MULTIPART|XML|JSON)") {
set $attack_detected 1;
}
if ($request_uri ~* "^[a-f]*([0-9])[a-f]*([0-9])") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*$") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_initialization) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

81
waf_patterns/nginx/java.conf
View File

@ -1,60 +1,27 @@
# Nginx WAF rules for JAVA # Nginx WAF rules for JAVA
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?:runtime|processbuilder)") { map $request_uri $waf_block_java {
set $attack_detected 1; default 0;
} "~*javab.+(?:runtime|processbuilder)" 1;
"~*(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" 1;
if ($request_uri ~* "java.lang.(?:runtime|processbuilder)") { "~*(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" 1;
set $attack_detected 1; "~*.*.(?:jsp|jspx).*$" 1;
} "~*(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" 1;
"~*(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)" 1;
if ($request_uri ~* "(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)") { "~*(?:runtime|processbuilder)" 1;
set $attack_detected 1; "~*xacxedx00x05" 1;
} "~*(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" 1;
"~*(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" 1;
if ($request_uri ~* ".*.(?:jsp|jspx).*$") { "~*java.lang.(?:runtime|processbuilder)" 1;
set $attack_detected 1; "~*(?:rO0ABQ|KztAAU|Cs7QAF)" 1;
} "~*(?:unmarshaller|base64data|java.)" 1;
if ($request_uri ~* "xacxedx00x05") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)") {
set $attack_detected 1;
}
if ($request_uri ~* "javab.+(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:unmarshaller|base64data|java.)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:rO0ABQ|KztAAU|Cs7QAF)") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_java) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

31
waf_patterns/nginx/leakages.conf
View File

@ -1,20 +1,17 @@
# Nginx WAF rules for LEAKAGES # Nginx WAF rules for LEAKAGES
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)") { map $request_uri $waf_block_leakages {
set $attack_detected 1; default 0;
} "~*^#!s?/" 1;
"~*(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)" 1;
if ($request_uri ~* "^5d{2}$") { "~*^5d{2}$" 1;
set $attack_detected 1;
}
if ($request_uri ~* "^#!s?/") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_leakages) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

21
waf_patterns/nginx/lfi.conf
View File

@ -1,12 +1,15 @@
# Nginx WAF rules for LFI # Nginx WAF rules for LFI
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))") { map $request_uri $waf_block_lfi {
set $attack_detected 1; default 0;
} "~*(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" 1;
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_lfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

71
waf_patterns/nginx/php.conf
View File

@ -1,52 +1,25 @@
# Nginx WAF rules for PHP # Nginx WAF rules for PHP
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") { map $request_uri $waf_block_php {
set $attack_detected 1; default 0;
} "~*(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" 1;
"~*(?i)<?(?:=|php)?s+" 1;
if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") { "~*(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" 1;
set $attack_detected 1; "~*(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" 1;
} "~*(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" 1;
"~*@pm ?>" 1;
if ($request_uri ~* "(?i)<?(?:=|php)?s+") { "~*.*.(?:phpd*|phtml)..*$" 1;
set $attack_detected 1; "~*.*.ph(?:pd*|tml|ar|ps|t|pt).*$" 1;
} "~*AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" 1;
"~*[oOcC]:d+:\".+?\":d+:{.*}" 1;
if ($request_uri ~* ".*.(?:phpd*|phtml)..*$") { "~*@pm =" 1;
set $attack_detected 1;
}
if ($request_uri ~* "@pm =") {
set $attack_detected 1;
}
if ($request_uri ~* "[oOcC]:d+:\".+?\":d+:{.*}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm ?>") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
set $attack_detected 1;
}
if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_php) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

116
waf_patterns/nginx/rce.conf
View File

@ -1,88 +1,34 @@
# Nginx WAF rules for RCE # Nginx WAF rules for RCE
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]") { map $request_uri $waf_block_rce {
set $attack_detected 1; default 0;
} "~*ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]" 1;
"~*['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]" 1;
if ($request_uri ~* "['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]") { "~*rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)" 1;
set $attack_detected 1; "~*s" 1;
} "~*!(?:d|!)" 1;
"~*^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))" 1;
if ($request_uri ~* "/") { "~*^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])" 1;
set $attack_detected 1; "~*!@rx [0-9]s*'s*[0-9]" 1;
} "~*$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" 1;
"~*rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" 1;
if ($request_uri ~* "(?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])") { "~*!-d" 1;
set $attack_detected 1; "~*/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" 1;
} "~*;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" 1;
"~*b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))" 1;
if ($request_uri ~* ";[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)") { "~*/" 1;
set $attack_detected 1; "~*(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" 1;
} "~*(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)" 1;
"~*(?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])" 1;
if ($request_uri ~* "/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)") { "~*rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" 1;
set $attack_detected 1; "~*^(s*)s+{" 1;
}
if ($request_uri ~* "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))") {
set $attack_detected 1;
}
if ($request_uri ~* "!-d") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])") {
set $attack_detected 1;
}
if ($request_uri ~* "(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)") {
set $attack_detected 1;
}
if ($request_uri ~* "^(s*)s+{") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)") {
set $attack_detected 1;
}
if ($request_uri ~* "s") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)") {
set $attack_detected 1;
}
if ($request_uri ~* "$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)") {
set $attack_detected 1;
}
if ($request_uri ~* "!(?:d|!)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx [0-9]s*'s*[0-9]") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_rce) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

26
waf_patterns/nginx/rfi.conf
View File

@ -1,16 +1,16 @@
# Nginx WAF rules for RFI # Nginx WAF rules for RFI
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "!@endsWith .%{request_headers.host}") { map $request_uri $waf_block_rfi {
set $attack_detected 1; default 0;
} "~*!@endsWith .%{request_headers.host}" 1;
"~*^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" 1;
if ($request_uri ~* "^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_rfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

141
waf_patterns/nginx/shells.conf
View File

@ -1,108 +1,39 @@
# Nginx WAF rules for SHELLS # Nginx WAF rules for SHELLS
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") { map $request_uri $waf_block_shells {
set $attack_detected 1; default 0;
} "~*^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>" 1;
"~*(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" 1;
if ($request_uri ~* "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") { "~*^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" 1;
set $attack_detected 1; "~*@contains <title>punkholicshell</title>" 1;
} "~*^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" 1;
"~*<title>Mini Shell</title>.*Developed By LameHacker" 1;
if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") { "~*<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" 1;
set $attack_detected 1; "~*^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" 1;
} "~*^<html>rn<head>rn<title>GRP WebShell [0-9.]+" 1;
"~*<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" 1;
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") { "~*^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" 1;
set $attack_detected 1; "~*<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" 1;
} "~*>SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" 1;
"~*B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" 1;
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") { "~*^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>" 1;
set $attack_detected 1; "~*<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" 1;
} "~*^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>" 1;
"~*^<html>n<head>n<title>Ru24PostWebShell -" 1;
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") { "~*<title>CasuS [0-9.]+ by MafiABoY</title>" 1;
set $attack_detected 1; "~*@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" 1;
} "~*^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" 1;
"~*^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" 1;
if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") { "~*<title>Symlink_Sa [0-9.]+</title>" 1;
set $attack_detected 1; "~*<title>lama's'hell v. [0-9.]+</title>" 1;
} "~*^ <html>nn<head>nn<title>g00nshell v[0-9.]+" 1;
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <title>punkholicshell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_shells) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

81
waf_patterns/nginx/sql.conf
View File

@ -1,60 +1,27 @@
# Nginx WAF rules for SQL # Nginx WAF rules for SQL
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?i)org.hsqldb.jdbc") { map $request_uri $waf_block_sql {
set $attack_detected 1; default 0;
} "~*(?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" 1;
"~*(?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" 1;
if ($request_uri ~* "(?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)") { "~*(?i)Dynamic SQL Error" 1;
set $attack_detected 1; "~*(?i)org.hsqldb.jdbc" 1;
} "~*(?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])" 1;
"~*(?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" 1;
if ($request_uri ~* "(?i)Dynamic SQL Error") { "~*(?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)" 1;
set $attack_detected 1; "~*(?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)" 1;
} "~*(?i)Exception (?:condition )?d+. Transaction rollback." 1;
"~*(?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" 1;
if ($request_uri ~* "(?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)") { "~*(?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)" 1;
set $attack_detected 1; "~*(?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" 1;
} "~*(?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" 1;
if ($request_uri ~* "(?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)Exception (?:condition )?d+. Transaction rollback.") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_sql) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

191
waf_patterns/nginx/sqli.conf
View File

@ -1,148 +1,49 @@
# Nginx WAF rules for SQLI # Nginx WAF rules for SQLI
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){12})") { map $request_uri $waf_block_sqli {
set $attack_detected 1; default 0;
} "~*[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]" 1;
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){8})" 1;
if ($request_uri ~* "(?:^s*[\"'`;]+|[\"'`]+s*$)") { "~*@streq %{TX.2}" 1;
set $attack_detected 1; "~*!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" 1;
} "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){12})" 1;
"~*^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" 1;
if ($request_uri ~* "(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") { "~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
set $attack_detected 1; "~*(?:^s*[\"'`;]+|[\"'`]+s*$)" 1;
} "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){2})" 1;
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){6})" 1;
if ($request_uri ~* "(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)") { "~*(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)" 1;
set $attack_detected 1; "~*(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" 1;
} "~*(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" 1;
"~*^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b" 1;
if ($request_uri ~* "^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b") { "~*(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" 1;
set $attack_detected 1; "~*(?i)W+d*?s*?bhavingbs*?[^s-]" 1;
} "~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
"~*(?i)union.*?select.*?from" 1;
if ($request_uri ~* "(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}") { "~*!@streq %{TX.2}" 1;
set $attack_detected 1; "~*(?i:^[Wd]+s*?(?:alter|union)b)" 1;
} "~*(?i:b0x[a-fd]{3,})" 1;
"~*(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" 1;
if ($request_uri ~* "(?i)W+d*?s*?bhavingbs*?[^s-]") { "~*(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" 1;
set $attack_detected 1; "~*@detectSQLi" 1;
} "~*(?i)1.e[(-),]" 1;
"~*(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+" 1;
if ($request_uri ~* "W{4}") { "~*^(?:and|or)$" 1;
set $attack_detected 1; "~*(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" 1;
} "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){3})" 1;
"~*(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" 1;
if ($request_uri ~* "(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)") { "~*';" 1;
set $attack_detected 1; "~*^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;" 1;
} "~*(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" 1;
"~*W{4}" 1;
if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") { "~*(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" 1;
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:b0x[a-fd]{3,})") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:and|or)$") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){8})") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){6})") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){3})") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;") {
set $attack_detected 1;
}
if ($request_uri ~* "';") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)1.e[(-),]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){2})") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)union.*?select.*?from") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:^[Wd]+s*?(?:alter|union)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectSQLi") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_sqli) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

141
waf_patterns/nginx/xss.conf
View File

@ -1,108 +1,39 @@
# Nginx WAF rules for XSS # Nginx WAF rules for XSS
location / { # Automatically generated from OWASP rules.
set $attack_detected 0; # Include this file in your server or location block.
if ($request_uri ~* "(?i)<APPLET[s/+>]") { map $request_uri $waf_block_xss {
set $attack_detected 1; default 0;
} "~*(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b" 1;
"~*(?i)<EMBED[s/+].*?(?:src|type).*?=" 1;
if ($request_uri ~* "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") { "~*(?i)<APPLET[s/+>]" 1;
set $attack_detected 1; "~*xbc[^xbe>]*[xbe>]|<[^xbe]*xbe" 1;
} "~*@detectXSS" 1;
"~*(?i)<LINK[s/+].*?href[s/+]*=" 1;
if ($request_uri ~* "(?i)<script[^>]*>[sS]*?") { "~*(?i:<META[s/+].*?charset[s/+]*=)" 1;
set $attack_detected 1; "~*(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)" 1;
} "~*<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W" 1;
"~*{{.*?}}" 1;
if ($request_uri ~* "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W") { "~*(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=" 1;
set $attack_detected 1; "~*@contains -->" 1;
} "~*(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)" 1;
"~*(?i)<script[^>]*>[sS]*?" 1;
if ($request_uri ~* "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") { "~*(?i)[s\"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]" 1;
set $attack_detected 1; "~*(?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=" 1;
} "~*(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" 1;
"~*(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=" 1;
if ($request_uri ~* "(?i)<LINK[s/+].*?href[s/+]*=") { "~*(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))" 1;
set $attack_detected 1; "~*(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)" 1;
} "~*(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=" 1;
"~*<[?]?import[s/+S]*?implementation[s/+]*?=" 1;
if ($request_uri ~* "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") { "~*(?i)<BASE[s/+].*?href[s/+]*=" 1;
set $attack_detected 1; "~*((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`" 1;
} "~*!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" 1;
if ($request_uri ~* "(?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
set $attack_detected 1;
}
if ($request_uri ~* "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains -->") {
set $attack_detected 1;
}
if ($request_uri ~* "<[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectXSS") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[s\"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "{{.*?}}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
} }
if ($waf_block_xss) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}