Skip to content

Instantly share code, notes, and snippets.

@airween
Created September 13, 2019 19:45
Show Gist options
  • Save airween/7f40a0abfa2e8f636bf08893bfd4a4b9 to your computer and use it in GitHub Desktop.
Save airween/7f40a0abfa2e8f636bf08893bfd4a4b9 to your computer and use it in GitHub Desktop.
rule-941330.json
[
{
"enabled":0,
"version_min":300000,
"title":"Testing setvar :: OWASP CRS id:941330",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host": "localhost"
},
"uri":"/?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecDefaultAction \"phase:2,deny,block,status:400,log\"",
"SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:[\\\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)\" \"id:941330,phase:2,block,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,msg:'IE XSS Filters - Attack Detected.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',setvar:'tx.msg=%{rule.msg}',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'\""
]
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment