External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Fri Jan 10 00:27:14 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-10 00:27:14 +00:00
parent 0c41e95847
commit c68f9937e8
40 changed files with 3401 additions and 3401 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
waf_patterns/nginx/xss.conf
View File

@@ -2,19 +2,7 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "{{.*?}}") {
set $attack_detected 1;
}
if ($request_uri ~* "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<script[^>]*>[sS]*?") {
if ($request_uri ~* "(?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
@@ -22,11 +10,23 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
if ($request_uri ~* "@contains -->") {
set $attack_detected 1;
}
if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") {
if ($request_uri ~* "(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<script[^>]*>[sS]*?") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1;
}
@@ -34,7 +34,43 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
if ($request_uri ~* "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "<[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "{{.*?}}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
@@ -46,11 +82,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "<[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
if ($request_uri ~* "(?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
@@ -58,47 +90,15 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
if ($request_uri ~* "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains -->") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
if ($request_uri ~* "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}