# Nginx WAF Maps Definitions
# Automatically generated from OWASP rules.
http {
map $request_uri $waf_block_correlation {
default 0;
"~*@gt\ 0" 1;
"~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
"~*@eq\ 0" 1;
"~*@ge\ 5" 1;
"~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
}
map $request_uri $waf_block_fixation {
default 0;
"~*\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" 1;
"~*@eq\ 0" 1;
"~*\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" 1;
"~*\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" 1;
"~*!@endsWith\ %\{request_headers\.host\}" 1;
}
map $request_uri $waf_block_rfi {
default 0;
"~*\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" 1;
"~*!@endsWith\ \.%\{request_headers\.host\}" 1;
}
map $request_uri $waf_block_rce {
default 0;
"~*!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" 1;
"~*\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" 1;
"~*/" 1;
"~*!\-d" 1;
"~*;\[sv\]\*\.\[sv\]\*\[\"'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" 1;
"~*\^\(s\*\)s\+\{" 1;
"~*\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \[\"\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ \"\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}\"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" 1;
"~*\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" 1;
"~*\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" 1;
"~*\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" 1;
"~*b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" 1;
"~*!\(\?:d\|!\)" 1;
"~*rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" 1;
"~*rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" 1;
"~*\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" 1;
"~*\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" 1;
"~*s" 1;
"~*ba\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-\"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" 1;
"~*/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" 1;
"~*rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" 1;
}
map $request_uri $waf_block_attack {
default 0;
"~*@gt\ 0" 1;
"~*\." 1;
"~*TX:paramcounter_\(\.\*\)" 1;
"~*content\-transfer\-encoding:\(\.\*\)" 1;
"~*\[nr\]" 1;
"~*\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" 1;
"~*@gt\ 1" 1;
"~*\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" 1;
"~*unix:\[\^\|\]\*\|" 1;
"~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" 1;
"~*\^content\-types\*:s\*\(\.\*\)\$" 1;
"~*\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" 1;
"~*\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" 1;
"~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" 1;
}
map $request_uri $waf_block_enforcement {
default 0;
"~*\^\[\^;s\]\+" 1;
"~*!@rx\ \^d\+\$" 1;
"~*@eq\ 0" 1;
"~*@validateByteRange\ 32\-36,38\-126" 1;
"~*@eq\ 1" 1;
"~*@validateUtf8Encoding" 1;
"~*\(d\+\)\-\(d\+\)" 1;
"~*@endsWith\ \.pdf" 1;
"~*@gt\ %\{tx\.arg_name_length\}" 1;
"~*\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" 1;
"~*@streq\ POST" 1;
"~*!@endsWith\ \.pdf" 1;
"~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" 1;
"~*@ge\ 1" 1;
"~*@gt\ 0" 1;
"~*@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" 1;
"~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" 1;
"~*!@pm\ AppleWebKit\ Android" 1;
"~*@gt\ %\{tx\.max_file_size\}" 1;
"~*@gt\ 1" 1;
"~*!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['\"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" 1;
"~*@gt\ 50" 1;
"~*\^\.\*\$" 1;
"~*\(\?i\)x5cu\[0\-9a\-f\]\{4\}" 1;
"~*!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" 1;
"~*%\[0\-9a\-fA\-F\]\{2\}" 1;
"~*\.\(\[\^\.\]\+\)\$" 1;
"~*@gt\ %\{tx\.arg_length\}" 1;
"~*!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" 1;
"~*\^\(\?:GET\|HEAD\)\$" 1;
"~*!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" 1;
"~*@contains\ \#" 1;
"~*@gt\ %\{tx\.max_num_args\}" 1;
"~*@validateUrlEncoding" 1;
"~*\['\";=\]" 1;
"~*@within\ %\{tx\.restricted_headers_basic\}" 1;
"~*@gt\ %\{tx\.combined_file_sizes\}" 1;
"~*b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" 1;
"~*!@rx\ \^OPTIONS\$" 1;
"~*!@rx\ \^0\$" 1;
"~*\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" 1;
"~*@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" 1;
"~*@within\ %\{tx\.restricted_extensions\}" 1;
"~*@gt\ %\{tx\.total_arg_length\}" 1;
"~*!@rx\ \^0\?\$" 1;
"~*\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" 1;
"~*@validateByteRange\ 9,10,13,32\-126,128\-255" 1;
"~*@validateByteRange\ 1\-255" 1;
"~*!@streq\ JSON" 1;
"~*%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" 1;
"~*charsets\*=s\*\[\"'\]\?\(\[\^;\"'s\]\+\)" 1;
"~*\^\$" 1;
"~*charset\.\*\?charset" 1;
"~*@within\ %\{tx\.restricted_headers_extended\}" 1;
"~*x25" 1;
}
map $request_uri $waf_block_php {
default 0;
"~*\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" 1;
"~*\(\?i\)<\?\(\?:=\|php\)\?s\+" 1;
"~*\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" 1;
"~*\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" 1;
"~*\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" 1;
"~*AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" 1;
"~*\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" 1;
"~*\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" 1;
"~*@pm\ \?>" 1;
"~*@pm\ =" 1;
"~*\[oOcC\]:d\+:\"\.\+\?\":d\+:\{\.\*\}" 1;
}
map $request_uri $waf_block_evaluation {
default 0;
"~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
"~*@eq\ 1" 1;
"~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
"~*@ge\ 3" 1;
"~*@ge\ 2" 1;
"~*@ge\ 4" 1;
"~*@ge\ 1" 1;
}
map $request_uri $waf_block_java {
default 0;
"~*\(\?:runtime\|processbuilder\)" 1;
"~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" 1;
"~*xacxedx00x05" 1;
"~*javab\.\+\(\?:runtime\|processbuilder\)" 1;
"~*\.\*\.\(\?:jsp\|jspx\)\.\*\$" 1;
"~*\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" 1;
"~*\(\?:unmarshaller\|base64data\|java\.\)" 1;
"~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
"~*\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" 1;
"~*\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" 1;
"~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
"~*\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" 1;
"~*java\.lang\.\(\?:runtime\|processbuilder\)" 1;
}
map $request_uri $waf_block_initialization {
default 0;
"~*!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" 1;
"~*@eq\ 0" 1;
"~*@eq\ 100" 1;
"~*@eq\ 1" 1;
"~*\^\.\*\$" 1;
"~*\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" 1;
}
map $request_uri $waf_block_shells {
default 0;
"~*CasuS\ \[0\-9\.\]\+\ by\ MafiABoY" 1;
"~*\^nnRu24PostWebShell\ \-" 1;
"~*<title>Symlink_Sa\ \[0\-9\.\]\+" 1;
"~*Mini\ Shell\.\*Developed\ By\ LameHacker" 1;
"~*>SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ lama's'hell\ v\.\ \[0\-9\.\]\+" 1;
"~*@contains\ webadmin\.php" 1;
"~*\^\.\*\?\ \-\ WSO\ \[0\-9\.\]\+" 1;
"~*@contains\ punkholicshell" 1;
"~*\^nnInput\ command\ :n" 1;
"~*\(r57\ Shell\ Version\ \[0\-9\.\]\+\|r57\ shell\)" 1;
"~*\^nnWeb\ Shell" 1;
"~*SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" 1;
"~*\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" 1;
"~*\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::" 1;
"~*\^rnrnrnPhpSpy\ Ver\ \[0\-9\]\+" 1;
"~*\^n\.\*\?\ \~\ Shell\ Inn