# Known attack payload regex patterns # One pattern per line, these are checked against request parameters and user input # Lines starting with # are comments # XSS attack patterns # Pattern for alert/prompt/confirm execution /(?:<|%3C|<)(?:script|iframe|svg|img|a).*?(?:alert|prompt|confirm|eval)\s*\(.*?\)/i # Pattern for script injection /(?:<|%3C|<)script.*?(?:>|%3E|>)/i # Pattern for event handlers like onerror, onload, etc. /\bon(?:error|load|click|mouseover|focus|blur)\s*=\s*["']?(?:alert|prompt|confirm|eval)/i # Pattern for javascript: protocol /javascript\s*:\s*(?:alert|prompt|confirm|eval)/i # Pattern for data URI scheme with script /data\s*:\s*(?:text|application)\/(?:javascript|html).*?base64/i # SQL Injection patterns # Pattern for basic SQL injection attempts /(?:'\s*OR\s*'[\w\d]+'?\s*=\s*'[\w\d]+)|(?:"\s*OR\s*"[\w\d]+"?\s*=\s*"[\w\d]+")/i # Pattern for SQL comments /(?:--|#|\/\*)[^\w\d]*(?:union|select|insert|update|delete|drop|alter)/i # Pattern for UNION SELECT attempts /union\s+(?:all\s+)?select/i # Pattern for SQL batch commands /;\s*(?:drop|alter|create|truncate|rename|insert|update|delete)/i # Remote file inclusion patterns # Pattern for external URL inclusion /(?:https?|ftp|php|data|file):\/\/[^\s\n"')>]+/i # Pattern for directory traversal /(?:\.\.\/|\.\.\\|\.\.\%2f|\.\.\%5c)[^\s\n"')>]+/i # Pattern for PHP wrapper usage /php:\/\/(?:filter|input|memory|output|temp)/i # Command injection patterns # Pattern for shell command execution /[;&|`]\s*(?:ls|cat|cd|pwd|echo|rm|cp|mv|sudo|chmod|chown|wget|curl)/i # Pattern for command substitution /\$\([^\)]*\)|`[^`]*`/i # Pattern for direct system command injection /system\s*\(|exec\s*\(|shell_exec\s*\(|passthru\s*\(|eval\s*\(/i # Local file inclusion patterns # Pattern for path traversal /(?:\/|\\|\.\.|%2f|%5c)(?:etc|bin|usr|home|var|root|windows|system32)/i # Pattern for sensitive file access /(?:\/|\\|\.\.|%2f|%5c)(?:passwd|shadow|hosts|config|wp-config|web\.config)/i # XML/XXE injection patterns /?]{10,}/