# Apache ModSecurity rules for XSS
SecRuleEngine On

SecRule REQUEST_URI "\(\?i\)<LINK\[s/\+\]\.\*\?href\[s/\+\]\*=" "id:1011,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?:xbcs\*/s\*\[\^xbe>\]\*\[xbe>\]\)\|\(\?:<s\*/s\*\[\^xbe\]\*xbe\)" "id:1016,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<META\[s/\+\]\.\*\?http\-equiv\[s/\+\]\*=\[s/\+\]\*\["'`\]\?\(\?:\(\?:c\|\&\#x\?0\*\(\?:67\|43\|99\|63\);\?\)\|\(\?:r\|\&\#x\?0\*\(\?:82\|52\|114\|72\);\?\)\|\(\?:s\|\&\#x\?0\*\(\?:83\|53\|115\|73\);\?\)\)\)" "id:1009,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "!@validateByteRange\ 20,\ 45\-47,\ 48\-57,\ 65\-90,\ 95,\ 97\-122" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\[\^\]\]\*\]\[\^\.\]\*\.\)\|Reflect\[\^\.\]\*\.\)\.\*\(\?:map\|sort\|apply\)\[\^\.\]\*\.\.\*call\[\^`\]\*`\.\*`" "id:1017,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<script\[\^>\]\*>\[sS\]\*\?" "id:1002,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\{\{\.\*\?\}\}" "id:1025,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:\["'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\*\?\(\?:\(\?:l\|x5cu006C\)\(\?:o\|x5cu006F\)\(\?:c\|x5cu0063\)\(\?:a\|x5cu0061\)\(\?:t\|x5cu0074\)\(\?:i\|x5cu0069\)\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\|\(\?:n\|x5cu006E\)\(\?:a\|x5cu0061\)\(\?:m\|x5cu006D\)\(\?:e\|x5cu0065\)\|\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\(\?:e\|x5cu0065\)\(\?:r\|x5cu0072\)\(\?:r\|x5cu0072\)\(\?:o\|x5cu006F\)\(\?:r\|x5cu0072\)\|\(\?:v\|x5cu0076\)\(\?:a\|x5cu0061\)\(\?:l\|x5cu006C\)\(\?:u\|x5cu0075\)\(\?:e\|x5cu0065\)\(\?:O\|x5cu004F\)\(\?:f\|x5cu0066\)\)\.\*\?=\)" "id:1023,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<style\.\*\?>\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" "id:1005,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@contains\ \-\->" "id:1021,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@detectXSS" "id:1001,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\+\?\[\.\]\.\+\?=" "id:1024,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)\.\(\?:b\(\?:x\(\?:link:href\|html\|mlns\)\|data:text/html\|formaction\|patternb\.\*\?=\)\|!ENTITY\[sv\]\+\(\?:%\[sv\]\+\)\?\[\^sv\]\+\[sv\]\+\(\?:SYSTEM\|PUBLIC\)\|@import\|;base64\)b" "id:1003,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<BASE\[s/\+\]\.\*\?href\[s/\+\]\*=" "id:1012,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<\.\*\[:\]\?vmlframe\.\*\?\[s/\+\]\*\?src\[s/\+\]\*=\)" "id:1006,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<OBJECT\[s/\+\]\.\*\?\(\?:type\|codetype\|classid\|code\|data\)\[s/\+\]\*=" "id:1014,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "xbc\[\^xbe>\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" "id:1015,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)\[s"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" "id:1019,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<\[\^0\-9<>A\-Z_a\-z\]\*\(\?:\[\^sv"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\["'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark\|essage\|o\(\?:use\(\?:down\|enter\|\(\?:lea\|mo\)ve\|o\(\?:ut\|ver\)\|up\|wheel\)\|ve\(\?:end\|start\)\?\|z\(\?:a\(\?:fterpaint\|udioavailable\)\|\(\?:beforeresiz\|orientationchang\|t\(\?:apgestur\|imechang\)\)e\|\(\?:edgeui\(\?:c\(\?:ancel\|omplet\)\|start\)e\|network\(\?:down\|up\)loa\)d\|fullscreen\(\?:change\|error\)\|m\(\?:agnifygesture\(\?:start\|update\)\?\|ouse\(\?:hittest\|pixelscroll\)\)\|p\(\?:ointerlock\(\?:change\|error\)\|resstapgesture\)\|rotategesture\(\?:start\|update\)\?\|s\(\?:crolledareachanged\|wipegesture\(\?:end\|start\|update\)\?\)\)\)\)\|no\(\?:match\|update\)\|o\(\?:\(\?:bsolet\|\(\?:ff\|n\)lin\)e\|pen\|verflow\(\?:changed\)\?\)\|p\(\?:a\(\?:ge\(\?:hide\|show\)\|int\|\(\?:st\|us\)e\)\|lay\(\?:ing\)\?\|o\(\?:inter\(\?:down\|enter\|\(\?:\(\?:lea\|mo\)v\|rawupdat\)e\|o\(\?:ut\|ver\)\|up\)\|p\(\?:state\|up\(\?:hid\(\?:den\|ing\)\|show\(\?:ing\|n\)\)\)\)\|ro\(\?:gress\|pertychange\)\)\|r\(\?:atechange\|e\(\?:adystatechange\|ceived\|movetrack\|peat\(\?:Event\)\?\|quest\|s\(\?:et\|ize\|u\(\?:lt\|m\(\?:e\|ing\)\)\)\|trieving\)\|ow\(\?:e\(\?:nter\|xit\)\|s\(\?:delete\|inserted\)\)\)\|s\(\?:croll\(\?:end\)\?\|e\(\?:arch\|ek\(\?:complete\|ed\|ing\)\|lect\(\?:ionchange\|start\)\?\|n\(\?:ding\|t\)\|t\)\|how\|\(\?:ound\|peech\)\(\?:end\|start\)\|t\(\?:a\(\?:lled\|rt\|t\(\?:echange\|uschanged\)\)\|k\(\?:comma\|sessione\)nd\|op\)\|u\(\?:bmit\|ccess\|spend\)\|vg\(\?:abort\|error\|\(\?:un\)\?load\|resize\|scroll\|zoom\)\)\|t\(\?:ext\|ime\(\?:out\|update\)\|o\(\?:ggle\|uch\(\?:cancel\|en\(\?:d\|ter\)\|\(\?:lea\|mo\)ve\|start\)\)\|ransition\(\?:cancel\|end\|run\|start\)\)\|u\(\?:n\(\?:derflow\|handledrejection\|load\)\|p\(\?:dateready\|gradeneeded\)\|s\(\?:erproximity\|sdreceived\)\)\|v\(\?:ersion\|o\(\?:ic\|lum\)e\)change\|w\(\?:a\(\?:it\|rn\)ing\|ebkit\(\?:animation\(\?:end\|iteration\|start\)\|transitionend\)\|heel\)\|zoom\)\|ping\|s\(\?:rc\|tyle\)\)\[x08\-nf\-r\ \]\*\?=" "id:1004,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i:<META\[s/\+\]\.\*\?charset\[s/\+\]\*=\)" "id:1010,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)b\(\?:s\(\?:tyle\|rc\)\|href\)b\[sS\]\*\?=" "id:1020,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<APPLET\[s/\+>\]" "id:1013,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "@detectXSS" "id:1018,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "\(\?i\)<EMBED\[s/\+\]\.\*\?\(\?:src\|type\)\.\*\?=" "id:1007,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "<\[\?\]\?import\[s/\+S\]\*\?implementation\[s/\+\]\*\?=" "id:1008,phase:1,deny,status:403,log,msg:'xss attack detected'"
SecRule REQUEST_URI "<\(\?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp\)W" "id:1022,phase:1,deny,status:403,log,msg:'xss attack detected'"