Skip to content

Instantly share code, notes, and snippets.

@airween
Last active September 13, 2019 20:00
Show Gist options
  • Save airween/5b6bb902e725159453bc02de835f55ab to your computer and use it in GitHub Desktop.
Save airween/5b6bb902e725159453bc02de835f55ab to your computer and use it in GitHub Desktop.
rule-941330-include.json
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
"id:941330,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A2',\
tag:'OWASP_AppSensor/IE1',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.0',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
[
{
"enabled":1,
"version_min":300000,
"title":"Testing setvar :: OWASP CRS id:941330",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host": "localhost"
},
"uri":"/?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecDefaultAction \"phase:2,deny,block,status:400,log\"",
"Include 941330.conf"
]
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment