patterns/waf_patterns/nginx/xss.conf

# Nginx WAF rules for XSS
location / {
    set $attack_detected 0;

    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@detectXSS") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<script[^>]*>[sS]*?") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<EMBED[s/+].*?(?:src|type).*?=") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx <[?]?import[s/+S]*?implementation[s/+]*?=") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i:<META[s/+].*?charset[s/+]*=)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<LINK[s/+].*?href[s/+]*=") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<BASE[s/+].*?href[s/+]*=") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<APPLET[s/+>]") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx +ADw-.*(?:+AD4-|>)|<.*+AD4-") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx ![!+ ][]") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa|prompt|confirm)[sv]*(") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx ((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 2") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 2") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@detectXSS") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)[s") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@contains -->") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i:[") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)[") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx {{.*?}}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 3") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 3") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 4") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 4") {
        set $attack_detected 1;
    }

    if ($attack_detected = 1) {
        return 403;
    }
}