diff --git a/owasp_rules.json b/owasp_rules.json index 874a6c9..25979f7 100644 --- a/owasp_rules.json +++ b/owasp_rules.json @@ -119,6 +119,382 @@ "category": "INITIALIZATION", "pattern": "@lt %{tx.blocking_paranoia_level}" }, + { + "category": "FIXATION", + "pattern": "@lt 1" + }, + { + "category": "FIXATION", + "pattern": "@lt 1" + }, + { + "category": "FIXATION", + "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" + }, + { + "category": "FIXATION", + "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" + }, + { + "category": "FIXATION", + "pattern": "@rx ^(?:ht|f)tps?://(.*?)/" + }, + { + "category": "FIXATION", + "pattern": "!@endsWith %{request_headers.host}" + }, + { + "category": "FIXATION", + "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" + }, + { + "category": "FIXATION", + "pattern": "@eq 0" + }, + { + "category": "FIXATION", + "pattern": "@lt 2" + }, + { + "category": "FIXATION", + "pattern": "@lt 2" + }, + { + "category": "FIXATION", + "pattern": "@lt 3" + }, + { + "category": "FIXATION", + "pattern": "@lt 3" + }, + { + "category": "FIXATION", + "pattern": "@lt 4" + }, + { + "category": "FIXATION", + "pattern": "@lt 4" + }, + { + "category": "JAVA", + "pattern": "@lt 1" + }, + { + "category": "JAVA", + "pattern": "@lt 1" + }, + { + "category": "JAVA", + "pattern": "@pmFromFile java-code-leakages.data" + }, + { + "category": "JAVA", + "pattern": "@pmFromFile java-errors.data" + }, + { + "category": "JAVA", + "pattern": "@lt 2" + }, + { + "category": "JAVA", + "pattern": "@lt 2" + }, + { + "category": "JAVA", + "pattern": "@lt 3" + }, + { + "category": "JAVA", + "pattern": "@lt 3" + }, + { + "category": "JAVA", + "pattern": "@lt 4" + }, + { + "category": "JAVA", + "pattern": "@lt 4" + }, + { + "category": "EVALUATION", + "pattern": "@ge 1" + }, + { + "category": "EVALUATION", + "pattern": "@ge 1" + }, + { + "category": "EVALUATION", + "pattern": "@ge 2" + }, + { + "category": "EVALUATION", + "pattern": "@ge 2" + }, + { + "category": "EVALUATION", + "pattern": "@ge 3" + }, + { + "category": "EVALUATION", + "pattern": "@ge 3" + }, + { + "category": "EVALUATION", + "pattern": "@ge 4" + }, + { + "category": "EVALUATION", + "pattern": "@ge 4" + }, + { + "category": "EVALUATION", + "pattern": "@ge 1" + }, + { + "category": "EVALUATION", + "pattern": "@ge 1" + }, + { + "category": "EVALUATION", + "pattern": "@ge 2" + }, + { + "category": "EVALUATION", + "pattern": "@ge 2" + }, + { + "category": "EVALUATION", + "pattern": "@ge 3" + }, + { + "category": "EVALUATION", + "pattern": "@ge 3" + }, + { + "category": "EVALUATION", + "pattern": "@ge 4" + }, + { + "category": "EVALUATION", + "pattern": "@ge 4" + }, + { + "category": "EVALUATION", + "pattern": "@ge %{tx.inbound_anomaly_score_threshold}" + }, + { + "category": "EVALUATION", + "pattern": "@eq 1" + }, + { + "category": "EVALUATION", + "pattern": "@ge %{tx.inbound_anomaly_score_threshold}" + }, + { + "category": "EVALUATION", + "pattern": "@lt 1" + }, + { + "category": "EVALUATION", + "pattern": "@lt 1" + }, + { + "category": "EVALUATION", + "pattern": "@lt 2" + }, + { + "category": "EVALUATION", + "pattern": "@lt 2" + }, + { + "category": "EVALUATION", + "pattern": "@lt 3" + }, + { + "category": "EVALUATION", + "pattern": "@lt 3" + }, + { + "category": "EVALUATION", + "pattern": "@lt 4" + }, + { + "category": "EVALUATION", + "pattern": "@lt 4" + }, + { + "category": "SQL", + "pattern": "@lt 1" + }, + { + "category": "SQL", + "pattern": "@lt 1" + }, + { + "category": "SQL", + "pattern": "!@pmFromFile sql-errors.data" + }, + { + "category": "SQL", + "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])" + }, + { + "category": "SQL", + "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" + }, + { + "category": "SQL", + "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()" + }, + { + "category": "SQL", + "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)" + }, + { + "category": "SQL", + "pattern": "@rx (?i)Dynamic SQL Error" + }, + { + "category": "SQL", + "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback." + }, + { + "category": "SQL", + "pattern": "@rx (?i)org.hsqldb.jdbc" + }, + { + "category": "SQL", + "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)" + }, + { + "category": "SQL", + "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)" + }, + { + "category": "SQL", + "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" + }, + { + "category": "SQL", + "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" + }, + { + "category": "SQL", + "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" + }, + { + "category": "SQL", + "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):" + }, + { + "category": "SQL", + "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" + }, + { + "category": "SQL", + "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" + }, + { + "category": "SQL", + "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" + }, + { + "category": "SQL", + "pattern": "@lt 2" + }, + { + "category": "SQL", + "pattern": "@lt 2" + }, + { + "category": "SQL", + "pattern": "@lt 3" + }, + { + "category": "SQL", + "pattern": "@lt 3" + }, + { + "category": "SQL", + "pattern": "@lt 4" + }, + { + "category": "SQL", + "pattern": "@lt 4" + }, + { + "category": "ATTACK", + "pattern": "!@eq 0" + }, + { + "category": "ATTACK", + "pattern": "!@within |%{tx.allowed_request_content_type_charset}|" + }, + { + "category": "ATTACK", + "pattern": "@rx ^content-types*:s*(.*)$" + }, + { + "category": "ATTACK", + "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" + }, + { + "category": "ATTACK", + "pattern": "@rx content-transfer-encoding:(.*)" + }, + { + "category": "LFI", + "pattern": "@lt 1" + }, + { + "category": "LFI", + "pattern": "@lt 1" + }, + { + "category": "LFI", + "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" + }, + { + "category": "LFI", + "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" + }, + { + "category": "LFI", + "pattern": "@pmFromFile lfi-os-files.data" + }, + { + "category": "LFI", + "pattern": "@pmFromFile restricted-files.data" + }, + { + "category": "LFI", + "pattern": "@lt 2" + }, + { + "category": "LFI", + "pattern": "@lt 2" + }, + { + "category": "LFI", + "pattern": "@pmFromFile lfi-os-files.data" + }, + { + "category": "LFI", + "pattern": "@lt 3" + }, + { + "category": "LFI", + "pattern": "@lt 3" + }, + { + "category": "LFI", + "pattern": "@lt 4" + }, + { + "category": "LFI", + "pattern": "@lt 4" + }, { "category": "EXCEPTIONS", "pattern": "@streq GET /" @@ -140,107 +516,39 @@ "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$" }, { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 1" }, { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 1" }, { - "category": "RFI", - "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" + "category": "ENFORCEMENT", + "pattern": "!@within %{tx.allowed_methods}" }, { - "category": "RFI", - "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://" - }, - { - "category": "RFI", - "pattern": "@rx ^(?i:file|ftps?|https?).*??+$" - }, - { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 2" }, { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 2" }, { - "category": "RFI", - "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" - }, - { - "category": "RFI", - "pattern": "!@endsWith .%{request_headers.host}" - }, - { - "category": "RFI", - "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" - }, - { - "category": "RFI", - "pattern": "!@endsWith .%{request_headers.host}" - }, - { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 3" }, { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 3" }, { - "category": "RFI", + "category": "ENFORCEMENT", "pattern": "@lt 4" }, { - "category": "RFI", - "pattern": "@lt 4" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 1" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 1" - }, - { - "category": "LEAKAGES", - "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)" - }, - { - "category": "LEAKAGES", - "pattern": "@rx ^#!s?/" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 2" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 2" - }, - { - "category": "LEAKAGES", - "pattern": "@rx ^5d{2}$" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 3" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 3" - }, - { - "category": "LEAKAGES", - "pattern": "@lt 4" - }, - { - "category": "LEAKAGES", + "category": "ENFORCEMENT", "pattern": "@lt 4" }, { @@ -376,639 +684,279 @@ "pattern": "@lt 4" }, { - "category": "ATTACK", - "pattern": "!@eq 0" - }, - { - "category": "ATTACK", - "pattern": "!@within |%{tx.allowed_request_content_type_charset}|" - }, - { - "category": "ATTACK", - "pattern": "@rx ^content-types*:s*(.*)$" - }, - { - "category": "ATTACK", - "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" - }, - { - "category": "ATTACK", - "pattern": "@rx content-transfer-encoding:(.*)" - }, - { - "category": "ATTACK", + "category": "XSS", "pattern": "@lt 1" }, { - "category": "ATTACK", + "category": "XSS", "pattern": "@lt 1" }, { - "category": "ATTACK", - "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" + "category": "XSS", + "pattern": "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" }, { - "category": "ATTACK", - "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" + "category": "XSS", + "pattern": "@detectXSS" }, { - "category": "ATTACK", - "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)" + "category": "XSS", + "pattern": "@rx (?i)]*>[sS]*?" }, { - "category": "ATTACK", - "pattern": "@rx [nr]" + "category": "XSS", + "pattern": "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b" }, { - "category": "ATTACK", - "pattern": "@rx [nr]" + "category": "XSS", + "pattern": "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript" }, { - "category": "ATTACK", - "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" + "category": "XSS", + "pattern": "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=" }, { - "category": "ATTACK", - "pattern": "@rx [nr]" + "category": "XSS", + "pattern": "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[\"']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?(" }, { - "category": "ATTACK", - "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" + "category": "XSS", + "pattern": "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding " + }, + { + "category": "XSS", + "pattern": "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W" + }, + { + "category": "XSS", + "pattern": "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)" + }, + { + "category": "XSS", + "pattern": "@rx (?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=" + }, + { + "category": "XSS", + "pattern": "@rx {{.*?}}" + }, + { + "category": "XSS", "pattern": "@lt 3" }, { - "category": "ATTACK", + "category": "XSS", "pattern": "@lt 3" }, { - "category": "ATTACK", - "pattern": "@gt 0" - }, - { - "category": "ATTACK", - "pattern": "@rx ." - }, - { - "category": "ATTACK", - "pattern": "@gt 1" - }, - { - "category": "ATTACK", - "pattern": "@rx TX:paramcounter_(.*)" - }, - { - "category": "ATTACK", - "pattern": "@rx (][^]]+$|][^]]+[)" - }, - { - "category": "ATTACK", + "category": "XSS", "pattern": "@lt 4" }, { - "category": "ATTACK", + "category": "XSS", "pattern": "@lt 4" }, { - "category": "ATTACK", - "pattern": "@rx [" - }, - { - "category": "ENFORCEMENT", + "category": "RFI", "pattern": "@lt 1" }, { - "category": "ENFORCEMENT", + "category": "RFI", "pattern": "@lt 1" }, { - "category": "ENFORCEMENT", - "pattern": "!@within %{tx.allowed_methods}" + "category": "RFI", + "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" }, { - "category": "ENFORCEMENT", + "category": "RFI", + "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://" + }, + { + "category": "RFI", + "pattern": "@rx ^(?i:file|ftps?|https?).*??+$" + }, + { + "category": "RFI", "pattern": "@lt 2" }, { - "category": "ENFORCEMENT", + "category": "RFI", "pattern": "@lt 2" }, { - "category": "ENFORCEMENT", + "category": "RFI", + "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" + }, + { + "category": "RFI", + "pattern": "!@endsWith .%{request_headers.host}" + }, + { + "category": "RFI", + "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" + }, + { + "category": "RFI", + "pattern": "!@endsWith .%{request_headers.host}" + }, + { + "category": "RFI", "pattern": "@lt 3" }, { - "category": "ENFORCEMENT", + "category": "RFI", "pattern": "@lt 3" }, { - "category": "ENFORCEMENT", + "category": "RFI", "pattern": "@lt 4" }, { - "category": "ENFORCEMENT", + "category": "RFI", "pattern": "@lt 4" }, { - "category": "JAVA", + "category": "LEAKAGES", "pattern": "@lt 1" }, { - "category": "JAVA", + "category": "LEAKAGES", "pattern": "@lt 1" }, { - "category": "JAVA", - "pattern": "@pmFromFile java-code-leakages.data" + "category": "LEAKAGES", + "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)" }, { - "category": "JAVA", - "pattern": "@pmFromFile java-errors.data" + "category": "LEAKAGES", + "pattern": "@rx ^#!s?/" }, { - "category": "JAVA", + "category": "LEAKAGES", "pattern": "@lt 2" }, { - "category": "JAVA", + "category": "LEAKAGES", "pattern": "@lt 2" }, { - "category": "JAVA", + "category": "LEAKAGES", + "pattern": "@rx ^5d{2}$" + }, + { + "category": "LEAKAGES", "pattern": "@lt 3" }, { - "category": "JAVA", + "category": "LEAKAGES", "pattern": "@lt 3" }, { - "category": "JAVA", + "category": "LEAKAGES", "pattern": "@lt 4" }, { - "category": "JAVA", - "pattern": "@lt 4" - }, - { - "category": "FIXATION", - "pattern": "@lt 1" - }, - { - "category": "FIXATION", - "pattern": "@lt 1" - }, - { - "category": "FIXATION", - "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" - }, - { - "category": "FIXATION", - "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" - }, - { - "category": "FIXATION", - "pattern": "@rx ^(?:ht|f)tps?://(.*?)/" - }, - { - "category": "FIXATION", - "pattern": "!@endsWith %{request_headers.host}" - }, - { - "category": "FIXATION", - "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" - }, - { - "category": "FIXATION", - "pattern": "@eq 0" - }, - { - "category": "FIXATION", - "pattern": "@lt 2" - }, - { - "category": "FIXATION", - "pattern": "@lt 2" - }, - { - "category": "FIXATION", - "pattern": "@lt 3" - }, - { - "category": "FIXATION", - "pattern": "@lt 3" - }, - { - "category": "FIXATION", - "pattern": "@lt 4" - }, - { - "category": "FIXATION", - "pattern": "@lt 4" - }, - { - "category": "PHP", - "pattern": "@lt 1" - }, - { - "category": "PHP", - "pattern": "@lt 1" - }, - { - "category": "PHP", - "pattern": "@pmFromFile php-errors.data" - }, - { - "category": "PHP", - "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" - }, - { - "category": "PHP", - "pattern": "@rx (?i)Warning: ibase_|Unexpected end of command in statement)" - }, - { - "category": "SQL", - "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" - }, - { - "category": "SQL", - "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" - }, - { - "category": "SQL", - "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):" - }, - { - "category": "SQL", - "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" - }, - { - "category": "SQL", - "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" - }, - { - "category": "SQL", - "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" - }, - { - "category": "SQL", - "pattern": "@lt 2" - }, - { - "category": "SQL", - "pattern": "@lt 2" - }, - { - "category": "SQL", - "pattern": "@lt 3" - }, - { - "category": "SQL", - "pattern": "@lt 3" - }, - { - "category": "SQL", - "pattern": "@lt 4" - }, - { - "category": "SQL", - "pattern": "@lt 4" - }, - { - "category": "LFI", - "pattern": "@lt 1" - }, - { - "category": "LFI", - "pattern": "@lt 1" - }, - { - "category": "LFI", - "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" - }, - { - "category": "LFI", - "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" - }, - { - "category": "LFI", - "pattern": "@pmFromFile lfi-os-files.data" - }, - { - "category": "LFI", - "pattern": "@pmFromFile restricted-files.data" - }, - { - "category": "LFI", - "pattern": "@lt 2" - }, - { - "category": "LFI", - "pattern": "@lt 2" - }, - { - "category": "LFI", - "pattern": "@pmFromFile lfi-os-files.data" - }, - { - "category": "LFI", - "pattern": "@lt 3" - }, - { - "category": "LFI", - "pattern": "@lt 3" - }, - { - "category": "LFI", - "pattern": "@lt 4" - }, - { - "category": "LFI", - "pattern": "@lt 4" - }, - { - "category": "GENERIC", - "pattern": "@lt 1" - }, - { - "category": "GENERIC", - "pattern": "@lt 1" - }, - { - "category": "GENERIC", - "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])" - }, - { - "category": "GENERIC", - "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" - }, - { - "category": "GENERIC", - "pattern": "@pmFromFile ssrf.data" - }, - { - "category": "GENERIC", - "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" - }, - { - "category": "GENERIC", - "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*(" - }, - { - "category": "GENERIC", - "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)" - }, - { - "category": "GENERIC", - "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" - }, - { - "category": "GENERIC", - "pattern": "@lt 2" - }, - { - "category": "GENERIC", - "pattern": "@lt 2" - }, - { - "category": "GENERIC", - "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" - }, - { - "category": "GENERIC", - "pattern": "@rx [s*constructors*]" - }, - { - "category": "GENERIC", - "pattern": "@rx @{.*}" - }, - { - "category": "GENERIC", - "pattern": "@lt 3" - }, - { - "category": "GENERIC", - "pattern": "@lt 3" - }, - { - "category": "GENERIC", - "pattern": "@lt 4" - }, - { - "category": "GENERIC", - "pattern": "@lt 4" - }, - { - "category": "EVALUATION", - "pattern": "@ge 1" - }, - { - "category": "EVALUATION", - "pattern": "@ge 1" - }, - { - "category": "EVALUATION", - "pattern": "@ge 2" - }, - { - "category": "EVALUATION", - "pattern": "@ge 2" - }, - { - "category": "EVALUATION", - "pattern": "@ge 3" - }, - { - "category": "EVALUATION", - "pattern": "@ge 3" - }, - { - "category": "EVALUATION", - "pattern": "@ge 4" - }, - { - "category": "EVALUATION", - "pattern": "@ge 4" - }, - { - "category": "EVALUATION", - "pattern": "@ge 1" - }, - { - "category": "EVALUATION", - "pattern": "@ge 1" - }, - { - "category": "EVALUATION", - "pattern": "@ge 2" - }, - { - "category": "EVALUATION", - "pattern": "@ge 2" - }, - { - "category": "EVALUATION", - "pattern": "@ge 3" - }, - { - "category": "EVALUATION", - "pattern": "@ge 3" - }, - { - "category": "EVALUATION", - "pattern": "@ge 4" - }, - { - "category": "EVALUATION", - "pattern": "@ge 4" - }, - { - "category": "EVALUATION", - "pattern": "@ge %{tx.inbound_anomaly_score_threshold}" - }, - { - "category": "EVALUATION", - "pattern": "@eq 1" - }, - { - "category": "EVALUATION", - "pattern": "@ge %{tx.inbound_anomaly_score_threshold}" - }, - { - "category": "EVALUATION", - "pattern": "@lt 1" - }, - { - "category": "EVALUATION", - "pattern": "@lt 1" - }, - { - "category": "EVALUATION", - "pattern": "@lt 2" - }, - { - "category": "EVALUATION", - "pattern": "@lt 2" - }, - { - "category": "EVALUATION", - "pattern": "@lt 3" - }, - { - "category": "EVALUATION", - "pattern": "@lt 3" - }, - { - "category": "EVALUATION", - "pattern": "@lt 4" - }, - { - "category": "EVALUATION", + "category": "LEAKAGES", "pattern": "@lt 4" }, { @@ -1532,364 +1480,180 @@ "pattern": "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" }, { - "category": "XSS", + "category": "GENERIC", "pattern": "@lt 1" }, { - "category": "XSS", + "category": "GENERIC", "pattern": "@lt 1" }, { - "category": "XSS", - "pattern": "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" + "category": "GENERIC", + "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])" }, { - "category": "XSS", - "pattern": "@detectXSS" + "category": "GENERIC", + "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" }, { - "category": "XSS", - "pattern": "@rx (?i)]*>[sS]*?" + "category": "GENERIC", + "pattern": "@pmFromFile ssrf.data" }, { - "category": "XSS", - "pattern": "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b" + "category": "GENERIC", + "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" }, { - "category": "XSS", - "pattern": "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript" + "category": "GENERIC", + "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*(" }, { - "category": "XSS", - "pattern": "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=" + "category": "GENERIC", + "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)" }, { - "category": "XSS", - "pattern": "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[\"']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?(" + "category": "GENERIC", + "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" }, { - "category": "XSS", - "pattern": "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding " - }, - { - "category": "XSS", - "pattern": "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W" - }, - { - "category": "XSS", - "pattern": "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)" - }, - { - "category": "XSS", - "pattern": "@rx (?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=" - }, - { - "category": "XSS", - "pattern": "@rx {{.*?}}" - }, - { - "category": "XSS", + "category": "GENERIC", "pattern": "@lt 3" }, { - "category": "XSS", + "category": "GENERIC", "pattern": "@lt 3" }, { - "category": "XSS", + "category": "GENERIC", "pattern": "@lt 4" }, { - "category": "XSS", + "category": "GENERIC", "pattern": "@lt 4" }, { - "category": "IIS", + "category": "ATTACK", "pattern": "@lt 1" }, { - "category": "IIS", + "category": "ATTACK", "pattern": "@lt 1" }, { - "category": "IIS", - "pattern": "@rx [a-z]:x5cinetpubb" + "category": "ATTACK", + "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" }, { - "category": "IIS", - "pattern": "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error.

|cannot connect to the server: timed out)" + "category": "ATTACK", + "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" }, { - "category": "IIS", - "pattern": "@pmFromFile iis-errors.data" + "category": "ATTACK", + "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)" }, { - "category": "IIS", - "pattern": "!@rx ^404$" + "category": "ATTACK", + "pattern": "@rx [nr]" }, { - "category": "IIS", - "pattern": "@rx bServer Error in.{0,50}?bApplicationb" + "category": "ATTACK", + "pattern": "@rx [nr]" }, { - "category": "IIS", + "category": "ATTACK", + "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" + }, + { + "category": "ATTACK", + "pattern": "@rx [nr]" + }, + { + "category": "ATTACK", + "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" + }, + { + "category": "ATTACK", + "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" + }, + { + "category": "ATTACK", + "pattern": "@rx unix:[^|]*|" + }, + { + "category": "ATTACK", "pattern": "@lt 2" }, { - "category": "IIS", + "category": "ATTACK", "pattern": "@lt 2" }, { - "category": "IIS", + "category": "ATTACK", + "pattern": "@rx [nr]" + }, + { + "category": "ATTACK", + "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" + }, + { + "category": "ATTACK", "pattern": "@lt 3" }, { - "category": "IIS", + "category": "ATTACK", "pattern": "@lt 3" }, { - "category": "IIS", + "category": "ATTACK", + "pattern": "@gt 0" + }, + { + "category": "ATTACK", + "pattern": "@rx ." + }, + { + "category": "ATTACK", + "pattern": "@gt 1" + }, + { + "category": "ATTACK", + "pattern": "@rx TX:paramcounter_(.*)" + }, + { + "category": "ATTACK", + "pattern": "@rx (][^]]+$|][^]]+[)" + }, + { + "category": "ATTACK", "pattern": "@lt 4" }, { - "category": "IIS", + "category": "ATTACK", "pattern": "@lt 4" }, { - "category": "SHELLS", - "pattern": "@lt 1" - }, - { - "category": "SHELLS", - "pattern": "@lt 1" - }, - { - "category": "SHELLS", - "pattern": "@pmFromFile web-shells-php.data" - }, - { - "category": "SHELLS", - "pattern": "@rx (r57 Shell Version [0-9.]+|r57 shell)" - }, - { - "category": "SHELLS", - "pattern": "@rx ^.*? - WSO [0-9.]+" - }, - { - "category": "SHELLS", - "pattern": "@rx B4TM4N SH3LL.*" - }, - { - "category": "SHELLS", - "pattern": "@rx Mini Shell.*Developed By LameHacker" - }, - { - "category": "SHELLS", - "pattern": "@rx .:: .* ~ Ashiyane V [0-9.]+ ::." - }, - { - "category": "SHELLS", - "pattern": "@rx Symlink_Sa [0-9.]+" - }, - { - "category": "SHELLS", - "pattern": "@rx CasuS [0-9.]+ by MafiABoY" - }, - { - "category": "SHELLS", - "pattern": "@rx ^rnrnGRP WebShell [0-9.]+" - }, - { - "category": "SHELLS", - "pattern": "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" - }, - { - "category": "SHELLS", - "pattern": "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" - }, - { - "category": "SHELLS", - "pattern": "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell" - }, - { - "category": "SHELLS", - "pattern": "@rx lama's'hell v. [0-9.]+" - }, - { - "category": "SHELLS", - "pattern": "@rx ^ *n[ ]+n[ ]+lostDC -" - }, - { - "category": "SHELLS", - "pattern": "@rx ^<title>PHP Web Shellrnrnrn " - }, - { - "category": "SHELLS", - "pattern": "@rx ^nn
Input command :
n
" - }, - { - "category": "SHELLS", - "pattern": "@rx ^nnRu24PostWebShell -" - }, - { - "category": "SHELLS", - "pattern": "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King" - }, - { - "category": "SHELLS", - "pattern": "@rx ^rnrnrnPhpSpy Ver [0-9]+" - }, - { - "category": "SHELLS", - "pattern": "@rx ^ nnnng00nshell v[0-9.]+" - }, - { - "category": "SHELLS", - "pattern": "@contains <title>punkholicshell" - }, - { - "category": "SHELLS", - "pattern": "@rx ^n n azrail [0-9.]+ by C-W-M" - }, - { - "category": "SHELLS", - "pattern": "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by n.*? ~ Shell Inn