1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
13 SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
14 "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
15 SecAction phase:2,pass,nolog,skipAfter:END_XSS_REGEX
18 SecRule TX:/^PM_XSS_DATA_*/ "\bgetparentfolder\b" \
19 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
21 SecRule TX:/^PM_XSS_DATA_*/ "\bonmousedown\b\W*?\=" \
22 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
24 SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bshell:" \
25 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
27 SecRule TX:/^PM_XSS_DATA_*/ "\bmocha:" \
28 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
30 SecRule TX:/^PM_XSS_DATA_*/ "\bonabort\b" \
31 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
33 SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bhttp:" \
34 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
36 SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseup\b\W*?\=" \
37 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
39 SecRule TX:/^PM_XSS_DATA_*/ "\bstyle\b\W*\=.*bexpression\b\W*\(" \
40 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
42 SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bshell:" \
43 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
45 SecRule TX:/^PM_XSS_DATA_*/ "\bcreatetextrange\b" \
46 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
48 SecRule TX:/^PM_XSS_DATA_*/ "\bondragdrop\b\W*?\=" \
49 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
51 SecRule TX:/^PM_XSS_DATA_*/ "\bcopyparentfolder\b" \
52 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
54 SecRule TX:/^PM_XSS_DATA_*/ "\bonunload\b\W*?\=" \
55 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
57 SecRule TX:/^PM_XSS_DATA_*/ "\.execscript\b" \
58 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
60 SecRule TX:/^PM_XSS_DATA_*/ "\bgetspecialfolder\b" \
61 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
63 SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bonload\b" \
64 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
66 SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bvbscript:" \
67 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
69 SecRule TX:/^PM_XSS_DATA_*/ "\bonkeydown\b\W*?\=" \
70 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
72 SecRule TX:/^PM_XSS_DATA_*/ "\bonmousemove\b\W*?\=" \
73 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
75 SecRule TX:/^PM_XSS_DATA_*/ "\blivescript:" \
76 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
78 SecRule TX:/^PM_XSS_DATA_*/ "\bonblur\b\W*?\=" \
79 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
81 SecRule TX:/^PM_XSS_DATA_*/ "\bonmove\b\W*?\=" \
82 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
84 SecRule TX:/^PM_XSS_DATA_*/ "\bsettimeout\b\W*?\(" \
85 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
87 SecRule TX:/^PM_XSS_DATA_*/ "\< ?iframe" \
88 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
90 SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bjavascript:" \
91 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
93 SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bbackground\b" \
94 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
96 SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bvbscript:" \
97 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
99 SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\becmascript\b" \
100 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
102 SecRule TX:/^PM_XSS_DATA_*/ "\bonfocus\b\W*?\=" \
103 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
105 SecRule TX:/^PM_XSS_DATA_*/ "\.cookie\b" \
106 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
108 SecRule TX:/^PM_XSS_DATA_*/ "\<\!\[cdata\[" \
109 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
111 SecRule TX:/^PM_XSS_DATA_*/ "\bonerror\b\W*?\=" \
112 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
114 SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bjavascript:" \
115 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
117 SecRule TX:/^PM_XSS_DATA_*/ "\bactivexobject\b" \
118 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
120 SecRule TX:/^PM_XSS_DATA_*/ "\bonkeypress\b\W*?\=" \
121 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
123 SecRule TX:/^PM_XSS_DATA_*/ "\bonsubmit\b\W*?\=" \
124 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
126 SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
127 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
129 SecRule TX:/^PM_XSS_DATA_*/ "\.addimport\b" \
130 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
132 SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bjavascript:" \
133 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
135 SecRule TX:/^PM_XSS_DATA_*/ "\bonchange\b\W*?\=" \
136 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
138 SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjscript\b" \
139 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
141 SecRule TX:/^PM_XSS_DATA_*/ "\balert\b\W*?\(" \
142 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
144 SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
145 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
147 SecRule TX:/^PM_XSS_DATA_*/ "\< ?meta\b" \
148 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
150 SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bhttp:" \
151 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
153 SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
154 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
156 SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseout\b\W*?\=" \
157 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
159 SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bshell:" \
160 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
162 SecRule TX:/^PM_XSS_DATA_*/ "\basfunction:" \
163 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
165 SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseover\b\W*?\=" \
166 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
168 SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bvbscript:" \
169 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
171 SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bjavascript:" \
172 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
174 SecRule TX:/^PM_XSS_DATA_*/ "\.innerhtml\b" \
175 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
177 SecRule TX:/^PM_XSS_DATA_*/ "\bonselect\b\W*?\=" \
178 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
180 SecRule TX:/^PM_XSS_DATA_*/ "\@import\b" \
181 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
183 SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bvbscript:" \
184 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
186 SecRule TX:/^PM_XSS_DATA_*/ "\bonload\b\W*?\=" \
187 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
189 SecRule TX:/^PM_XSS_DATA_*/ "\< ?script\b" \
190 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
192 SecRule TX:/^PM_XSS_DATA_*/ "\bonresize\b\W*?\=" \
193 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
195 SecRule TX:/^PM_XSS_DATA_*/ "\bonclick\b\W*?\=" \
196 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
198 SecRule TX:/^PM_XSS_DATA_*/ "\biframe\b.{0,100}?\bsrc\b" \
199 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
201 SecRule TX:/^PM_XSS_DATA_*/ "\bbackground-image:" \
202 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
204 SecRule TX:/^PM_XSS_DATA_*/ "\bonkeyup\b\W*?\=" \
205 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
207 SecRule TX:/^PM_XSS_DATA_*/ "<input\b.*?\btype\b\W*?\bimage\b" \
208 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
210 SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bshell:" \
211 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
213 SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
214 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
216 SecRule TX:/^PM_XSS_DATA_*/ "\.fromcharcode\b" \
217 "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
220 SecMarker END_XSS_REGEX
222 # Detect tags that are the most common direct HTML injection points.
224 # <a href=javascript:...
225 # <applet src="..." type=text/html>
226 # <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
227 # <base href=javascript:...
228 # <base href=... // change base URL to something else to exploit relative filename inclusion
229 # <bgsound src=javascript:...
230 # <body background=javascript:...
232 # <embed src=http://www.example.com/flash.swf allowScriptAccess=always
233 # <embed src="data:image/svg+xml;
234 # <frameset><frame src="javascript:..."></frameset>
235 # <iframe src=javascript:...
236 # <img src=x onerror=...
237 # <input type=image src=javascript:...
239 # <link href="javascript:..." rel="stylesheet" type="text/css"
240 # <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
241 # <meta http-equiv="refresh" content="0;url=javascript:..."
242 # <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
243 # <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
244 # <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
245 # <object data=http://www.example.com
246 # <object type=text/x-scriptlet data=...
247 # <object type=application/x-shockwave-flash data=xss.swf>
248 # <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
249 # <script>...</script>
250 # <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
251 # <script src="data:text/javascript,alert(1)"></script>
252 # <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
253 # <style>STYLE</style>
254 # <style type=text/css>STYLE</style>
255 # <style type=text/javascript>alert('xss')</style>
256 # <table background=javascript:...
257 # <td background=javascript:
262 # - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
264 # - Not using closing brackets because they are not needed for the
265 # attacks to succeed. The following seems to work in FF: <body/s/onload=...
267 # - Also, browsers sometimes tend to translate < into >, in order to "repair"
268 # what they think was a mistake made by the programmer/template designer.
270 # - Browsers are flexible when it comes to what they accept as separator between
271 # tag names and attributes. The following is commonly used in payloads: <img/src=...
272 # A better example: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=alert("XSS")>
274 # - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
275 # but I don't believe we need to look for quotes anywhere.
277 # - Links do not have to be fully qualified. For example, the following works:
278 # <script src="//ha.ckers.org/.j">
280 SecRule REQUEST_URI_RAW|REQUEST_BODY "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
281 "phase:2,t:none,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
283 SecRule REQUEST_URI_RAW|REQUEST_BODY "\ballowscriptaccess\b|\brel\b\W*?=" \
284 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
286 # TODO Would evasion such as null and whitespace work here?
288 SecRule REQUEST_URI_RAW|REQUEST_BODY "application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript))" \
289 "phase:2,t:none,t:htmlEntityDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
291 # Detect event handler names
294 # <img src=x onerror=...>
296 SecRule REQUEST_URI_RAW|REQUEST_BODY "\bon(abort|blur|change|click|dblclick|dragdrop|error|\
297 focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout\
298 |mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
299 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
301 # Detect usage of common URI attributes (e.g. src)
303 # <a href="javascript:...">Link</a>
304 # <base href="javascript:...">
305 # <bgsound src="javascript:...">
306 # <body background="javascript:...">
307 # <frameset><frame src="javascript:..."></frameset>
308 # <iframe src=javascript:...>
309 # <img dynsrc=javascript:...>
310 # <img lowsrc=javascript:...>
311 # <img src=javascript:...>
312 # <input type=image src=javascript:...>
314 SecRule REQUEST_URI_RAW|REQUEST_BODY "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
315 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
317 # As above, but try to catch the other bit that is necessary to execute the attack.
319 # <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
320 # <img src=jaVaScrIpt:...>
321 # <img src=a;avascript:...> (not evasion)
322 # <img src="jav ascript:..."> (embedded tab; null byte, other whitespace characters work too)
323 # <img src="jaa	ascript:..."> (the combination of the above two)
327 # - htmlEntityDecode needs to be applied because this content appears in HTML
328 # attributes, so it's not evasion.
330 # TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
332 SecRule REQUEST_URI_RAW|REQUEST_BODY "(asfunction|javascript|vbscript|data|mocha|livescript):" \
333 "phase:2,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
335 # Detect attempts to use the style attribute, which works with any tag in at
336 # least one major browser.
338 # <div style="background-image: url(javascript:...)">
340 SecRule REQUEST_URI_RAW|REQUEST_BODY "\bstyle\b\W*?=" \
341 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
343 # -- JavaScript fragments --
345 # TODO Need more fragments.
347 # TODO What about JavaScript code hidden behind CSS?
349 # TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
351 # alert(String.fromCharCode(88,83,83)
354 # - document.location
356 # - document.styleSheets[0].addImport('yourstylesheet.css', 2);
357 # - window.execScript("alert('test');", "JavaScript");
358 # - document.body.innerHTML = ''
359 # - newObj = new ActiveXObject(servername.typename[, location])
360 # - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
361 # - setTimeout("alert('xss')", 1000)
362 # - xmlHttp.onreadystatechange=function() {}
363 # - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
367 # - JavaScript evasion:
369 # http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
370 # http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
372 SecRule REQUEST_URI_RAW|REQUEST_BODY "(fromcharcode|alert|eval)\s*\(" \
373 "phase:2,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
376 # -- CSS attack fragments --
378 # <div style="background-image: url(javascript:...)">
379 # <div style="background-image: url(javascript:alert('XSS'))"> // not used
380 # <div style="width: expression(...);">
381 # <img style="x:expression(document.write(1))">
382 # <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
383 # - <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
384 # <style>@import url(...);</style>
385 # -moz-binding:url(...)
386 # background:url("javascript:...")
387 # </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
388 # <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
389 # <li style="behavior:url(hilite.htc)">xss
391 # Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
393 # Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
395 # Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
396 # a match of that before we do anything might help us reduce the FP rate.
398 SecRule REQUEST_URI_RAW|REQUEST_BODY "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
399 "phase:2,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
401 # <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
402 SecRule REQUEST_URI_RAW|REQUEST_BODY "<!\[cdata\[|\]\]>" \
403 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
413 SecRule REQUEST_URI_RAW|REQUEST_BODY "[/'\"<]xss[/'\">]" \
414 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
416 # String.fromCharCode(88,83,83)
418 SecRule REQUEST_URI_RAW|REQUEST_BODY "(88,83,83)" \
419 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
423 SecRule REQUEST_URI_RAW|REQUEST_BODY "'';!--\"<xss>=&{()}" \
424 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
426 # Handle &{alert('xss')} which is supposed to work in Netscape 4.
428 SecRule REQUEST_URI_RAW|REQUEST_BODY "&{" \
429 "phase:2,t:none,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
433 # <!ENTITY inject "<script>alert(1)</script>">
435 # <html xmlns="http://www.w3.org/1999/xhtml">
437 # <title>Test</title>
445 SecRule REQUEST_URI_RAW|REQUEST_BODY "<!(doctype|entity)" \
446 "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
449 # XSS Filters from IE8
450 # http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
452 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&[#\(\)=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
454 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
456 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
458 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<applet[ /+\t].*?code[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
460 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
462 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<base[ /+\t].*?href[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
464 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<link[ /+\t].*?href[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
466 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
468 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<\?import[ /+\t].*?implementation[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
470 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<embed[ /+\t].*?SRC.*?=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
472 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[ /+\t\"\'`]on\c\c\c+?[ +\t]*?=.)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
474 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<.*[:]vmlframe.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
476 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
478 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<isindex[ /+\t>])" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
480 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<form.*?>)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
482 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<script.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
484 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:<script.*?>)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
486 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
488 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
490 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[\"\'].*?\[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\()" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
492 SecRule REQUEST_URI_RAW|REQUEST_BODY "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\(.*?\))" "phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"