Edit file File name : REQUEST-942-APPLICATION-ATTACK-SQLI.conf Content :# ------------------------------------------------------------------------ # OWASP CRS ver.4.7.0-dev # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # # The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # # References: # # SQL Injection Knowledgebase (via @LightOS) - # http://websec.ca/kb/sql_injection # # SQLi Filter Evasion Cheat Sheet - # http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/ # # SQL Injection Cheat Sheet - # http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ # # SQLMap's Tamper Scripts (for evasions) # https://github.com/sqlmapproject/sqlmap # # # -=[ LibInjection Check ]=- # # There is a stricter sibling of this rule at 942101. It covers REQUEST_BASENAME and REQUEST_FILENAME. # # Ref: https://github.com/libinjection/libinjection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \ "id:942100,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ msg:'SQL Injection Attack Detected via libinjection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # # -=[ Detect DB Names ]=- # # Regular expression generated from regex-assembly/942140.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942140 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\(|(?:information_schema|m(?:aster\.\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\.db)|northwind|pg_(?:catalog|toast)|tempdb)\b|s(?:chema(?:_name\b|[^0-9A-Z_a-z]*\()|(?:qlite_(?:temp_)?master|ys(?:aux|\.database_name))\b))" \ "id:942140,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack: Common DB Names Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ SQL Function Names ]=- # # This rule has a stricter sibling to this rule (942152) that checks for SQL function names in # request headers referer and user-agent. # # Regular expression generated from regex-assembly/942151.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942151 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ "id:942151,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack: SQL function name detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ PHPIDS - Converted SQLI Filters ]=- # # https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml # # The rule 942160 prevents time-based blind SQL injection attempts # by prohibiting sleep() or benchmark(,) functions: # # * The sleep command takes a number of seconds as an argument. # * The benchmark command executes the specified expression multiple times. # # Using a long sleep time or high number of executions, you can create a delay # with the response from the server. This allows to determine whether the # query has been executed or not. A high response time proves that the SQLi # worked successfully. It can now be equipped with the real payload. # # Therefore this rule does not prevent the attack itself, but blocks an # attacker from using the standard utils to tinker with blind SQLi. # # A positive side effect is that it prevents certain DoS attacks via the directives # described above. # SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \ "id:942160,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ t:replaceComments,\ msg:'Detects blind sqli tests using sleep() or benchmark()',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942170.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942170 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:select|;)[\s\x0b]+(?:benchmark|if|sleep)[\s\x0b]*?\([\s\x0b]*?\(?[\s\x0b]*?[0-9A-Z_a-z]+" \ "id:942170,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942190.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942190 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\x0b]*![\s\x0b]*[\"'0-9A-Z_-z]|;?[\s\x0b]*(?:having|select|union\b[\s\x0b]*(?:all|(?:distin|sele)ct))\b[\s\x0b]*[^\s\x0b])|\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\s\x0b]*?|select.*?[0-9A-Z_a-z]?user)\(|exec(?:ute)?[\s\x0b]+master\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\s\x0b\+]+(?:dump|out)file[\s\x0b]*?[\"'`]|union(?:[\s\x0b]select[\s\x0b]@|[\s\x0b\(0-9A-Z_a-z]*?select))|[\s\x0b]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\s\x0b]*?\(" \ "id:942190,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:removeCommentsChar,\ msg:'Detects MSSQL code execution and information gathering attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Magic number crash in PHP strtod from 2011: # https://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" \ "id:942220,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942230.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942230 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\(\)]case[\s\x0b]+when.*?then|\)[\s\x0b]*?like[\s\x0b]*?\(|select.*?having[\s\x0b]*?[^\s\x0b]+[\s\x0b]*?[^\s\x0b0-9A-Z_a-z]|if[\s\x0b]?\([0-9A-Z_a-z]+[\s\x0b]*?[<->~]" \ "id:942230,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects conditional SQL injection attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942240.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942240 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)alter[\s\x0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\s\x0b]+set[\s\x0b]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\s\x0b]*?waitfor[\s\x0b]+(?:time|delay)[\s\x0b]+[\"'`]|;.*?:[\s\x0b]*?goto)" \ "id:942240,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL charset switch and MSSQL DoS attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \ "id:942250,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \ "id:942270,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942280.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942280 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\x0b]*?pg_sleep|waitfor[\s\x0b]*?delay[\s\x0b]?[\"'`]+[\s\x0b]?[0-9]|;[\s\x0b]*?shutdown[\s\x0b]*?(?:[#;\{]|/\*|--)" \ "id:942280,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942290.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942290 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\[?\$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)\]?" \ "id:942290,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Finds basic MongoDB SQL injection attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule has a stricter sibling (942321) that checks for MySQL and PostgreSQL procedures / functions in # request headers referer and user-agent. # # Regular expression generated from regex-assembly/942320.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942320 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\x0b]+(?:function|procedure)[\s\x0b]*?[0-9A-Z_a-z]+[\s\x0b]*?\([\s\x0b]*?\)[\s\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\x0b]*?[0-9A-Z_a-z]+|iv[\s\x0b]*?\([\+\-]*[\s\x0b\.0-9]+,[\+\-]*[\s\x0b\.0-9]+\))|exec[\s\x0b]*?\([\s\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\s\x0b]+analyse)[\s\x0b]*?\(|;[\s\x0b]*?(?:declare|open)[\s\x0b]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \ "id:942320,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942350.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942350 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\x0b]+function[\s\x0b].+[\s\x0b]returns|;[\s\x0b]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\x0b]*?[\(\[]?[0-9A-Z_a-z]{2,}" \ "id:942350,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule has two stricter sibling: 942361 and 942362. # The keywords 'alter' and 'union' led to false positives. # Therefore they have been moved to PL2 and the keywords have been extended on PL1. # The original version also had loose word boundaries and context checksum cause further false positives. # Because fixing those introduced bypass, the original variant was moved to PL2 as 942362. # # Sources for SQL ALTER statements: # MySQL: https://dev.mysql.com/doc/refman/5.7/en/sql-syntax-data-definition.html # Oracle/PLSQL: https://docs.oracle.com/search/?q=alter&size=60&category=database # PostgreQSL: https://www.postgresql.org/search/?u=%2Fdocs&q=alter # MSSQL: https://learn.microsoft.com/en-us/sql/t-sql/statements/statements?view=sql-server-ver16 # DB2: https://www.ibm.com/docs/en/search/alter?scope=SSEPGG_9.5.0 # # Regular expression generated from regex-assembly/942360.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942360 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\x0b]+(?:char|group_concat|load_file)\b[\s\x0b]*\(?|end[\s\x0b]*?\);)|[\s\x0b\(]load_file[\s\x0b]*?\(|[\"'`][\s\x0b]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\s\x0b]+as\b[\s\x0b]*[\"'0-9A-Z_-z]+[\s\x0b]*\bfrom|^[^A-Z_a-z]+[\s\x0b]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\x0b]+[0-9A-Z_a-z]+|u(?:pdate[\s\x0b]+[0-9A-Z_a-z]+|nion[\s\x0b]*(?:all|(?:sele|distin)ct)\b)|alter[\s\x0b]*(?:a(?:(?:ggregat|pplication[\s\x0b]*rol)e|s(?:sembl|ymmetric[\s\x0b]*ke)y|u(?:dit|thorization)|vailability[\s\x0b]*group)|b(?:roker[\s\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\s\x0b]*key)|terialized)|e(?:ssage[\s\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\x0b]*schema|srobject))\b)" \ "id:942360,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Detect MySQL in-line comments ]=- # # MySQL in-line comments can be used to bypass SQLi detection. # # Ref: https://dev.mysql.com/doc/refman/8.0/en/comments.html: # SELECT /*! STRAIGHT_JOIN */ col1 FROM table1,table2 WHERE ... # CREATE TABLE t1(a INT, KEY (a)) /*!50110 KEY_BLOCK_SIZE=1024 */; # SELECT /*+ BKA(t1) */ FROM ... ; # # http://localhost/test.php?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0} # # The minimal string that triggers this regexp is: /*!*/ or /*+*/. # The rule 942500 is related to 942440 which catches both /*! and */ independently. # # Regular expression generated from regex-assembly/942500.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942500 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)/\*[\s\x0b]*?[!\+](?:[\s\x0b\(\)\-0-9=A-Z_a-z]+)?\*/" \ "id:942500,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'MySQL in-line comment detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule catches an authentication bypass via SQL injection that abuses semi-colons to end the SQL query early. # Any characters after the semi-colon are ignored by some DBMSes (e.g. SQLite). # # An example of this would be: # email=admin%40juice-sh.op';&password=foo # # The server then turns this into: # SELECT * FROM users WHERE email='admin@juice-sh.op';' AND password='foo' # # Regular expression generated from regex-assembly/942540.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942540 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[\s\x0b]*;" \ "id:942540,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:replaceComments,\ msg:'SQL Authentication bypass (split query)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ tag:'paranoia-level/1',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule catches on Scientific Notation bypass payloads in MySQL # Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md#scientific-notation # # Regular expression generated from regex-assembly/942560.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942560 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\.e[\(\),]" \ "id:942560,\ phase:2,\ block,\ t:none,t:urlDecodeUni,t:replaceComments,\ msg:'MySQL Scientific Notation payload detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule tries to match JSON SQL syntax that could be used as a bypass technique. # Referring to this research: https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf # # Regular expression generated from regex-assembly/942550.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942550 # SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" \ "id:942550,\ phase:2,\ block,\ t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,\ msg:'JSON-Based SQL Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # # -=[ SQL Operators ]=- # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regular expression generated from regex-assembly/942120.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942120 # SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|=>?|>(?:[\s\x0b]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\x0b]*\()|r(?:egexp|like)[\s\x0b]+binary|not[\s\x0b]+between[\s\x0b]+(?:0[\s\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\s\x0b]+and[\s\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\s\x0b]+null|like[\s\x0b]+(?:null|[0-9A-Z_a-z]+[\s\x0b]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\x0b\+]*\([\s\x0b\"0-9]+[^\(\)]*\)|[!<->]{1,2}[\s\x0b]*all\b" \ "id:942120,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,\ msg:'SQL Injection Attack: SQL Operator Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Tautologies ]=- # # Boolean-based SQL injection or tautology attack. Boolean values (True or False) are used to carry out # this type of SQL injection. The malicious SQL query forces the web application to return a different result de- # pending on whether the query returns a TRUE or FALSE result. # # The original 942130 was split in two rules: # - 942130 targets tautologies using equalities (e.g. 1 = 1) # - 942131 targets tautologies using inequalities (e.g. 1 != 2) # # We use captures to check for (in)equality in the regexp. So TX.1 will capture the left hand side (LHS) of the inequality, # and TX.2 will capture the right hand side (RHS) of the logical query. # # Regular expression generated from regex-assembly/942130.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942130 # SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\x0b\"'-\)`]*?(?:=|<=>|(?:sounds[\s\x0b]+)?like|glob|r(?:like|egexp))[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" \ "id:942130,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:replaceComments,\ msg:'SQL Injection Attack: SQL Boolean-based attack detected',\ logdata:'Matched Data: %{TX.0} found within %{TX.942130_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.942130_matched_var_name=%{matched_var_name}',\ chain" SecRule TX:1 "@streq %{TX.2}" \ "t:none,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Rule Targeting logical inequalities that return TRUE (e.g. 1 != 2) # # # We use captures to check for (in)equality in the regexp. So TX.1 will capture the left hand side (LHS) of the inequality, # and TX.2 will capture the right hand side (RHS) of the logical query. # # Regular expression generated from regex-assembly/942131.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942131 # SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\x0b\"'-\)`]*?(?:![<->]|<[=>]?|>=?|\^|is[\s\x0b]+not|not[\s\x0b]+(?:like|r(?:like|egexp)))[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" \ "id:942131,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:replaceComments,\ msg:'SQL Injection Attack: SQL Boolean-based attack detected',\ logdata:'Matched Data: %{TX.0} found within %{TX.942131_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.942131_matched_var_name=%{matched_var_name}',\ chain" SecRule TX:1 "!@streq %{TX.2}" \ "t:none,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Function Names ]=- # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regular expression generated from regex-assembly/942150.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942150 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\(" \ "id:942150,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack: SQL function name detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Authentication Bypasses ]=- # # Authentication bypass occurs when the attacker can log in as another user # without knowing the user's password. The example bypass could look like this: # # x' OR 'x # # Because of the quantity of different rules they are split into: # - 942540 PL1 # - 942180 PL2 # - 942260 PL2 # - 942340 PL2 # - 942520 PL2 # - 942521 PL2 # - 942522 PL2 # Regular expression generated from regex-assembly/942180.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942180 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:/\*)+[\"'`]+[\s\x0b]?(?:--|[#\{]|/\*)?|[\"'`](?:[\s\x0b]*(?:(?:x?or|and|div|like|between)[\s\x0b\-0-9A-Z_a-z]+[\(\)\+-\-<->][\s\x0b]*[\"'0-9`]|[!=\|](?:[\s\x0b!\+\-0-9=]+.*?[\"'\(`].*?|[\s\x0b!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'\(0-9A-Z_-z]|;)|(?:[<>~]+|[\s\x0b]*[^\s\x0b0-9A-Z_a-z]?=[\s\x0b]*|[^0-9A-Z_a-z]*?[\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\s\x0b]+[\"'`][\s\x0b]+[0-9]|^admin[\s\x0b]*?[\"'`]|[\s\x0b\"'\(`][\s\x0b]*?glob[^0-9A-Z_a-z]+[\"'\(0-9A-Z_-z]|[\s\x0b]is[\s\x0b]*?0[^0-9A-Z_a-z]|where[\s\x0b][\s\x0b,-\.0-9A-Z_a-z]+[\s\x0b]=" \ "id:942180,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 1/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regular expression generated from regex-assembly/942200.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942200 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\x0b]*?\([\s\x0b]*?space[\s\x0b]*?\(" \ "id:942200,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regular expression generated from regex-assembly/942210.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942210 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:&&|\|\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\s\x0b\(]+[0-9A-Z_a-z]+[\s\x0b\)]*?[!\+=]+[\s\x0b0-9]*?[\"'-\)=`]|[0-9](?:[\s\x0b]*?(?:and|between|div|like|x?or)[\s\x0b]*?[0-9]+[\s\x0b]*?[\+\-]|[\s\x0b]+group[\s\x0b]+by.+\()|/[0-9A-Z_a-z]+;?[\s\x0b]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\s\x0b]*?(?:alter|drop|(?:insert|update)[\s\x0b]*?[0-9A-Z_a-z]{2,})|@.+=[\s\x0b]*?\([\s\x0b]*?select|[^0-9A-Z_a-z]SET[\s\x0b]*?@[0-9A-Z_a-z]+" \ "id:942210,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects chained SQL injection attempts 1/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942260.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942260 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)[\s\x0b]+[\s\x0b0-9A-Z_a-z]+=[\s\x0b]*?[0-9A-Z_a-z]+[\s\x0b]*?having[\s\x0b]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\s\x0b]+like[\s\x0b]+[\"'`]|like[\s\x0b]*?[\"'`]%|select[\s\x0b]+?[\s\x0b\"'-\),-\.0-9A-\[\]_-z]+from[\s\x0b]+" \ "id:942260,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 2/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942300.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942300 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\x0b]*?when[\s\x0b]*?[0-9]+[\s\x0b]*?then|[\"'`][\s\x0b]*?(?:[#\{]|--)|/\*![\s\x0b]?[0-9]+|\b(?:(?:binary|cha?r)[\s\x0b]*?\([\s\x0b]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\x0b]+[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\x0b]*?[0-9A-Z_a-z]+\(" \ "id:942300,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL comments, conditions and ch(a)r injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942310.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942310 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\([\s\x0b]*?select[\s\x0b]*?[0-9A-Z_a-z]+|coalesce|order[\s\x0b]+by[\s\x0b]+if[0-9A-Z_a-z]*?)[\s\x0b]*?\(|\*/from|\+[\s\x0b]*?[0-9]+[\s\x0b]*?\+[\s\x0b]*?@|[0-9A-Z_a-z][\"'`][\s\x0b]*?(?:(?:[\+\-=@\|]+[\s\x0b]+?)+|[\+\-=@\|]+)[\(0-9]|@@[0-9A-Z_a-z]+[\s\x0b]*?[^\s\x0b0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\s\x0b]*?(?:if|while|begin)|[\s\x0b0-9]+=[\s\x0b]*?[0-9])|[\s\x0b\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\s\x0b\(]" \ "id:942310,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects chained SQL injection attempts 2/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Injection Probings ]=- # # This is a group of three similar rules aiming to detect SQL injection probings. # # 942330 PL 2 # 942370 PL 2 # 942490 PL 3 # Regular expression generated from regex-assembly/942330.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942330 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?\b(?:x?or|div|like|between|and)\b[\s\x0b]*?[\"'`]?[0-9]|\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\s\x0b]*?\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)\b[\s\x0b]*?[\"'0-9A-Z_-z][!&\(\)\+-\.@])|[^\s\x0b0-9A-Z_a-z][0-9A-Z_a-z]+[\s\x0b]*?[\-\|][\s\x0b]*?[\"'`][\s\x0b]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\s\x0b]+(?:and|x?or|div|like|between)\b[\s\x0b]*?[\"'0-9`]+|[\-0-9A-Z_a-z]+[\s\x0b](?:and|x?or|div|like|between)\b[\s\x0b]*?[^\s\x0b0-9A-Z_a-z])|[^\s\x0b0-:A-Z_a-z][\s\x0b]*?[0-9][^0-9A-Z_a-z]+[^\s\x0b0-9A-Z_a-z][\s\x0b]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" \ "id:942330,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects classic SQL injection probings 1/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942340.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942340 # # Note that part of 942340.data is already optimized, to avoid a # Regexp::Assemble behaviour, where the regex is not optimized very nicely. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in[\s\x0b]*?\(+[\s\x0b]*?select|(?:(?:N?AND|X?X?OR|DIV|LIKE|BETWEEN|NOT)[\s\x0b]+|(?:\|\||&&)[\s\x0b]*)[\s\x0b\+0-9A-Z_a-z]+(?:regexp[\s\x0b]*?\(|sounds[\s\x0b]+like[\s\x0b]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\s\x0b]*?(?:[0-9][\s\x0b]*?(?:--|#)|is[\s\x0b]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[\.0-9]+[\s\x0b]*?[^0-9A-Z_a-z].*?[\"'`]))|[%&<->\^]+[0-9][\s\x0b]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[\+\-0-9A-Z_a-z]+[\s\x0b]*?=[\s\x0b]*?[0-9][^0-9A-Z_a-z]+|\|?[\-0-9A-Z_a-z]{3,}[^\s\x0b,\.0-9A-Z_a-z]+)[\"'`]|[\s\x0b]*(?:(?:N?AND|X?X?OR|DIV|LIKE|BETWEEN|NOT)[\s\x0b]+|(?:\|\||&&)[\s\x0b]*)(?:array[\s\x0b]*\[|[0-9A-Z_a-z]+(?:[\s\x0b]*!?~|[\s\x0b]+(?:not[\s\x0b]+)?similar[\s\x0b]+to[\s\x0b]+)|(?:tru|fals)e\b))|\bexcept[\s\x0b]+(?:select\b|values[\s\x0b]*?\()" \ "id:942340,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 3/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942360. # The keywords 'alter' and 'union' led to false positives. # Therefore they have been moved to PL2 and the keywords have been extended on PL1. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:^[\W\d]+\s*?(?:alter|union)\b)" \ "id:942361,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL injection based on keyword alter or union',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942360. # The loose word boundaries and light context led to false positives. # Because the stricter variant does miss quite a few legitimate payloads, the loose version was moved to PL2. # # Regular expression generated from regex-assembly/942362.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942362 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\x0b]+(?:char|group_concat|load_file)[\s\x0b]?\(?|end[\s\x0b]*?\);|[\s\x0b\(]load_file[\s\x0b]*?\(|[\"'`][\s\x0b]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\s\x0b]+as\b[\s\x0b]*[\"'0-9A-Z_-z]+[\s\x0b]*\bfrom|^[^A-Z_a-z]+[\s\x0b]*?(?:create[\s\x0b]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\s\x0b]*(?:all|(?:sele|distin)ct))|alter[\s\x0b]*(?:a(?:(?:ggregat|pplication[\s\x0b]*rol)e|s(?:sembl|ymmetric[\s\x0b]*ke)y|u(?:dit|thorization)|vailability[\s\x0b]*group)|b(?:roker[\s\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\s\x0b]*key)|terialized)|e(?:ssage[\s\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\x0b]*schema|srobject)))\b)" \ "id:942362,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a sibling of 942330. See that rule for a description and overview. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regular expression generated from regex-assembly/942370.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942370 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\x0b]*?(?:(?:\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\s\x0b][^0-9]+[\-0-9A-Z_a-z]+.*?)[0-9]|[^\s\x0b0-9\?A-Z_a-z]+[\s\x0b]*?[^\s\x0b0-9A-Z_a-z]+[\s\x0b]*?[\"'`]|[^\s\x0b0-9A-Z_a-z]+[\s\x0b]*?[^A-Z_a-z].*?(?:#|--))|.*?\*[\s\x0b]*?[0-9])|\^[\"'`]|[%\(-\+\-<>][\-0-9A-Z_a-z]+[^\s\x0b0-9A-Z_a-z]+[\"'`][^,]" \ "id:942370,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects classic SQL injection probings 2/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942380.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942380 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\x0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\x0b]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\x0b]{0,3})|ists[\s\x0b]*?\([\s\x0b]*?select\b)|(?:create[\s\x0b]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\x0b]by|exists[\s\x0b](?:[\s\x0b]select|s(?:elect[^\s\x0b](?:if(?:null)?[\s\x0b]\(|top|concat)|ystem[\s\x0b]\()|\bhaving\b[\s\x0b]+[0-9]{1,10}|'[^=]{1,10}')" \ "id:942380,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942390.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942390 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\x0b]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\x0b]?[<->]+|[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|xor\b[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|'[\s\x0b]+x?or[\s\x0b]+.{1,20}[!\+\-<->]" \ "id:942390,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942400.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942400 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\x0b]+(?:[0-9]{1,10}[\s\x0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" \ "id:942400,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regular expression generated from regex-assembly/942410.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942410 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[12]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" \ "id:942410,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # # Regular expression generated from regex-assembly/942470.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942470 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" \ "id:942470,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # # Regular expression generated from regex-assembly/942480.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942480 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" \ "id:942480,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # [ SQL Injection Character Anomaly Usage ] # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # This rules attempts to gauge when there is an excessive use of # meta-characters within a single parameter payload. # # Expect a lot of false positives with this rule. # The most likely false positive instances will be free-form text fields. # This will make it necessary to disable the rule for certain known parameters. # The following directive is an example to switch off the rule globally for # the parameter foo. Place this instruction in your configuration after # the include directive for the Core Rules Set. # # SecRuleUpdateTargetById 942430 "!ARGS:foo" # SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){12})" \ "id:942430,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # # -=[ Exclusion rule for 942440 ]=- # # Prevent FPs against Facebook click identifier # SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \ "id:942441,\ phase:2,\ pass,\ t:none,t:urlDecodeUni,\ nolog,\ tag:'OWASP_CRS',\ ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\ ver:'OWASP_CRS/4.7.0-dev'" # # -=[ Exclusion rule for 942440 ]=- # # Prevent FPs against Google click identifier # SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \ "id:942442,\ phase:2,\ pass,\ t:none,t:urlDecodeUni,\ nolog,\ tag:'OWASP_CRS',\ ctl:ruleRemoveTargetById=942440;ARGS:gclid,\ ver:'OWASP_CRS/4.7.0-dev'" # # -=[ Detect SQL Comment Sequences ]=- # # Example Payloads Detected: # ------------------------- # OR 1# # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable # DR/**/OP/*bypass deny listing*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*!32302 1/0, */ 1 FROM tablename # ‘ or 1=1# # ‘ or 1=1-- - # ‘ or 1=1/* # ' or 1=1;\x00 # 1='1' or-- - # ' /*!50000or*/1='1 # ' /*!or*/1='1 # 0/**/union/*!50000select*/table_name`foo`/**/ # ------------------------- # # The chained rule is designed to prevent false positives by specifically # targeting JWT tokens. Starting with 'ey' targets JWT tokens, where the 'ey' # prefix corresponds to the beginning of the Base64-encoded header section. # # example: # $ echo '{"' | base64 # eyIK # # Regular expressions generated from regex-assembly/942440.ra and regex-assembly/942440-chain1.ra. # To update the regular expressions run the following shell scripts # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942440 # crs-toolchain regex update 942440-chain1 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\x0b]|[^\-]*?-)|[^&\-]#.*?[\s\x0b]|;?\x00" \ "id:942440,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Comment Sequence Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \ "t:none,\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # # -=[ SQL Hex Evasion Methods ]=- # # Hex encoding detection: # (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \ "id:942450,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Hex Encoding Identified',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ Detect SQLi bypass: backticks ]=- # # Quotes and backticks can be used to bypass SQLi detection. # # Example: # GET http://localhost/test.php?id=9999%20or+{`if`(2=(select+2+from+wp_users+where+user_login='admin'))} # # The minimum text between the ticks or backticks must be 2 (if, for example) and a maximum of 29. # 29 is a compromise: The lower this number (29), the lower the probability of FP and the higher the probability of false negatives. # In tests we got a minimum number of FP with {2,29}. # # Base64 encoding detection: # (?:[A-Za-z0-9+/]{4})+ #match any number of 4-letter blocks of the base64 char set # (?:[A-Za-z0-9+/]{2}== #match 2-letter block of the base64 char set followed by "==", together forming a 4-letter block # | # or # [A-Za-z0-9+/]{3}= #match 3-letter block of the base64 char set followed by "=", together forming a 4-letter block # )? # # The minimal string that triggers this regexp is: `if` # # The rule 942511 is similar to this rule, but triggers on normal quotes # ('if'). That rule runs in paranoia level 3 or higher since it is prone to # false positives in natural text. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" \ "id:942510,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQLi bypass attempt by ticks or backticks detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942520.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942520 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:is[\s\x0b]+not|not[\s\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\x0b]+like)\b|[%&\*\+\-/<->\^\|])" \ "id:942520,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 4.0/4',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Complementary rule to PL2 942520 that block and/or-based bypasses. # It blocks data with odd number of quotes and then (and|or). # # The rule uses the expression ^b*a*(b*a*b*a*)* to odd number of a's. It's not # vulnerable to ReDos as it executes linearly many steps compared to input size. # # Regular expression generated from regex-assembly/942521.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942521 # SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\s\x0b]*([0-9A-Z_a-z]+)\b" \ "id:942521,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ logdata:'Matched Data: %{TX.0} found within %{TX.942521_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.942521_matched_var_name=%{matched_var_name}',\ chain" SecRule TX:1 "@rx ^(?:and|or)$" \ "t:none,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Complementary rule to PL2 942521 that block escaped quotes followed by (and|or) # SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" \ "id:942522,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # This is a sibling of rule 942100 that adds checking of the path. # # REQUEST_BASENAME provides the last url segment (slash excluded). # This segment is the most likely to be used for injections. Stripping out # the slash permits libinjection to do not consider it as a payload starting # with not unary arithmetical operators (not a valid SQL command, e.g. # '/9 union all'). The latter would lead to do not detect malicious payloads. # # REQUEST_FILENAME matches SQLi payloads inside (or across) other segments # of the path. Here, libinjection will detect a true positive only if # the url leading slash is considered as part of a comment block or part # of a string (with a quote or double quote after it). In these circumstances, # previous slashes do not affect libinjection result, making it able to detect # some SQLi inside the path. # SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ "id:942101,\ phase:1,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ msg:'SQL Injection Attack Detected via libinjection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Function Names ]=- # # This rule is a stricter sibling of 942151. # This rule 942152 checks for the same regex in request headers referer and user-agent. # # Regular expression generated from regex-assembly/942152.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942152 # SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ "id:942152,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack: SQL function name detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # This rule is a stricter sibling of 942320. # It checks for the same regex in request headers referer and user-agent. # # Regular expression generated from regex-assembly/942321.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942321 # SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0b]+(?:function|procedure)[\s\x0b]*?[0-9A-Z_a-z]+[\s\x0b]*?\([\s\x0b]*?\)[\s\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\x0b]*?[0-9A-Z_a-z]+|iv[\s\x0b]*?\([\+\-]*[\s\x0b\.0-9]+,[\+\-]*[\s\x0b\.0-9]+\))|exec[\s\x0b]*?\([\s\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\s\x0b]+analyse)[\s\x0b]*?\(|;[\s\x0b]*?(?:declare|open)[\s\x0b]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \ "id:942321,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # # # [ SQL HAVING queries ] # # This pattern was split off from rule 942250 due to frequent # false positives in English text. Testing showed that SQL # injections with HAVING should be detected by libinjection # (rule 942100). # # This is a stricter sibling of rule 942250. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?\bhaving\b\s*?[^\s\-]" \ "id:942251,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects HAVING injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942330. See that rule for a # description and overview. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]" \ "id:942490,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects classic SQL injection probings 3/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # [ SQL Injection Character Anomaly Usage ] # # This rule attempts to gauge when there is an excessive use of # meta-characters within a single parameter payload. # # It is similar to 942430, but focuses on Cookies instead of # GET/POST parameters. # # Expect a lot of false positives with this rule. # The most likely false positive instances will be complex session ids. # This will make it necessary to disable the rule for certain known cookies. # The following directive is an example to switch off the rule globally for # the cookie foo_id. Place this instruction in your configuration after # the include directive for the Core Rules Set. # # SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:foo_id" # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \ "id:942420,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # # This is a stricter sibling of rule 942430. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # # [ Repetitive Non-Word Characters ] # # This rule attempts to identify when multiple (4 or more) non-word characters # are repeated in sequence. # # The pattern may occur in some normal texts, e.g. "foo...." will match. # SecRule ARGS "@rx \W{4}" \ "id:942460,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" # # -=[ Detect SQLi bypass: quotes ]=- # # Quotes and backticks can be used to bypass SQLi detection. # # Example: # GET http://localhost/test.php?id=9999%20or+{`if`(2=(select+2+from+wp_users+where+user_login='admin'))} # # The minimum text between the ticks or backticks must be 2 (if, for example) and a maximum of 29. # 29 is a compromise: The lower this number (29), the lower the probability of FP and the higher the probability of false negatives. # In tests we got a minimum number of FP with {2,29}. # # Base64 encoding detection: # (?:[A-Za-z0-9+/]{4})+ #match any number of 4-letter blocks of the base64 char set # (?:[A-Za-z0-9+/]{2}== #match 2-letter block of the base64 char set followed by "==", together forming a 4-letter block # | # or # [A-Za-z0-9+/]{3}= #match 3-letter block of the base64 char set followed by "=", together forming a 4-letter block # )? # # The minimal string that triggers this regexp is: 'if' # # The rule 942510 is similar to this rule, but triggers on backticks # (`if`). That rule runs in paranoia level 2 or higher since the risk of # false positives in natural text is still present but lower than this # rule. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" \ "id:942511,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQLi bypass attempt by ticks detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # Detects '; # ' Single quote. Used to delineate a query with an unmatched quote. # ; Terminate a query. A prematurely terminated query creates an error. # Explanation source: # https://hwang.cisdept.cpp.edu/swanew/Text/SQL-Injection.htm # # Bug Bounty example: email=admin@juice-sh.op';&password=foo # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ';" \ "id:942530,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQLi query termination detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # # [ SQL Injection Character Anomaly Usage ] # # This is a stricter sibling of rule 942420. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \ "id:942421,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # # This is a stricter sibling of rule 942430. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){2})" \ "id:942432,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-942-APPLICATION-ATTACK-SQLI" Save