+#
+# https://access.redhat.com/articles/1212303
+#
+SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
+ "id:932170,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecode,\
+ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-shell',\
+ tag:'platform-unix',\
+ tag:'attack-rce',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/248/88',\
+ tag:'PCI/6.5.2',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
+ "id:932171,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecode,t:urlDecodeUni,\
+ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-shell',\
+ tag:'platform-unix',\
+ tag:'attack-rce',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/248/88',\
+ tag:'PCI/6.5.2',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ Restricted File Upload ]=-
+#
+# Detects attempts to upload a file with a forbidden filename.
+#
+# Many application contain Unrestricted File Upload vulnerabilities.
+# https://www.owasp.org/index.php/Unrestricted_File_Upload
+#
+# These might be abused to upload configuration files or other files
+# that affect the behavior of the web server, possibly causing remote
+# code execution.
+#
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \
+ "@pmFromFile restricted-upload.data" \
+ "id:932180,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:lowercase,\
+ msg:'Restricted File Upload Attempt',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-rce',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/248/88',\
+ tag:'PCI/6.5.2',\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+#
+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
+#
+
+
+#
+# -=[ Rule 932200 ]=-
+#
+# Block RCE Bypass using different techniques:
+# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/)
+# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
+# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8)
+#
+# Examples:
+# - foo;cat$u+/etc$u/passwd
+# - bar;cd+/etc;/bin$u/ca*+passwd
+# - foo;ca\t+/et\c/pa\s\swd
+# - foo;c'at'+/etc/pa's'swd
+#
+# Regex notes: https://regex101.com/r/JgZFRi/7
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ([*?`\\'][^/\n]+/|\$[({\[#a-zA-Z0-9]|/[^/]+?[*?`\\'])" \
+ "id:932200,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:lowercase,t:urlDecodeUni,\
+ msg:'RCE Bypass Technique',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-rce',\
+ tag:'paranoia-level/2',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/248/88',\
+ tag:'PCI/6.5.2',\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ chain"
+ SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
+ SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni,\
+ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+#
+# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
+#
+
+# Missing Unix commands have been added to a new word list i.e.
+# util/regexp-assemble/regexp-932106.txt
+# These commands may have a higher risk of false positives.
+# Therefore, they have been split off to a separate rule in PL3.
+# For explanation of this rule, see rule 932100.
+#
+# To rebuild the word list regexp:
+# cd util/regexp-assemble
+# cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl
+#
+# Then insert the assembled regexp into this template:
+#
+# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*
+# [regexp assembled from util/regexp-assemble/regexp-932106.txt]
+# \b" \
+#
+# This rule is a stricter sibling of rule 932100.
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b" \
+ "id:932106,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'Remote Command Execution: Unix Command Injection',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-shell',\
+ tag:'platform-unix',\
+ tag:'attack-rce',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/248/88',\
+ tag:'PCI/6.5.2',\
+ tag:'paranoia-level/3',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+#
+# -=[ Bypass Rule 930120 (wildcard) ]=-
+#
+# When Paranoia Level is set to 1 and 2, a Remote Command Execution
+# could be exploited bypassing rule 930120 (OS File Access Attempt)
+# by using wildcard characters.
+#
+# In some other cases, it could be bypassed even if the Paranoia Level is set to 3.
+# Please, keep in mind that this rule could lead to many false positives.
+#
+SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
+ "id:932190,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
+ msg:'Remote Command Execution: Wildcard bypass technique attempt',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-shell',\
+ tag:'platform-unix',\
+ tag:'attack-rce',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/248/88',\
+ tag:'PCI/6.5.2',\
+ tag:'paranoia-level/3',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+#
+# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE"
diff --git a/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
new file mode 100644
index 0000000..58be88f
--- /dev/null
+++ b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -0,0 +1,734 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.3.5
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
+#
+
+#
+# -=[ PHP Injection Attacks ]=-
+#
+# [ References ]
+# http://rips-scanner.sourceforge.net/
+# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh
+#
+
+#
+# [ PHP Open Tag Found ]
+#
+# Detects PHP open tags "', but
+# this resulted in false positives which were difficult to prevent.
+# Therefore, that pattern is now checked by rule 933190 in paranoia levels
+# 3 or higher.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:\/|\\\\)?php\])" \
+ "id:933100,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,t:lowercase,\
+ msg:'PHP Injection Attack: PHP Open Tag Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# [ PHP Script Uploads ]
+#
+# Block file uploads with filenames ending in PHP related extensions
+# (.php, .phps, .phtml, .php5 etc).
+#
+# Many application contain Unrestricted File Upload vulnerabilities.
+# https://www.owasp.org/index.php/Unrestricted_File_Upload
+#
+# Attackers may use such a vulnerability to achieve remote code execution
+# by uploading a .php file. If the upload storage location is predictable
+# and not adequately protected, the attacker may then request the uploaded
+# .php file and have the code within it executed on the server.
+#
+# Also block files with just dot (.) characters after the extension:
+# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla
+#
+# Some AJAX uploaders use the nonstandard request headers X-Filename,
+# X_Filename, or X-File-Name to transmit the file name to the server;
+# scan these request headers as well as multipart/form-data file names.
+#
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
+ "id:933110,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:lowercase,\
+ msg:'PHP Injection Attack: PHP Script File Upload Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Configuration Directives ]
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \
+ "id:933120,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
+ msg:'PHP Injection Attack: Configuration Directive Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ chain"
+ SecRule MATCHED_VARS "@pm =" \
+ "capture,\
+ ctl:auditLogParts=+E,\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Variables ]
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \
+ "id:933130,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\
+ msg:'PHP Injection Attack: Variables Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP I/O Streams ]
+#
+# The "php://" syntax can be used to refer to various objects, such as local files (for LFI),
+# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt
+# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app.
+#
+# Examples:
+# php://filter/resource=./../../../wp-config.php
+# php://filter/resource=http://www.example.com
+# php://stdin
+# php://input
+#
+# http://php.net/manual/en/wrappers.php.php
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
+ "id:933140,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'PHP Injection Attack: I/O Stream Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Wrappers ]
+#
+# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem
+# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar://
+# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even
+# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \
+ "id:933200,\
+ phase:2,\
+ block,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
+ msg:'PHP Injection Attack: Wrapper scheme detected',\
+ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Functions ]
+#
+# Detecting PHP function names is useful to block PHP code injection attacks.
+# There are many PHP functions. We have to strike a balance between robust detection
+# of PHP code in content, and the risk of false positives.
+#
+# The list of PHP functions is divided into four groups of varying attack/false positive risk.
+# Four separate rules are used to detect these groups of functions:
+#
+# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
+# natural language or other contexts.
+# Examples: 'base64_decode', 'file_get_contents'.
+# These words are detected as a match directly using @pmFromFile.
+# Function names are defined in php-function-names-933150.data
+#
+# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
+# false positives in natural language or other contexts.
+# Examples: 'chr', 'eval'.
+# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
+# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data
+#
+# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
+# Examples: 'addslashes', 'array_diff'.
+# For performance reasons, the @pmFromFile operator is used, and many functions from lesser
+# used PHP extensions are removed.
+# To mitigate false positives, we only match when the '(' character is also found.
+# This rule only runs in paranoia level 2 or higher.
+# Function names are defined in php-function-names-933151.data
+#
+# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
+# Examples: 'abs', 'cos'.
+# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
+# This rule only runs in paranoia level 3 or higher.
+# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data
+#
+
+
+#
+# [ PHP Functions: High-Risk PHP Function Names ]
+#
+# Rule 933150 contains a small list of function names which are highly indicative of a PHP
+# injection attack, for example 'base64_decode'.
+# We block these function names outright, without using a complex regexp or chain.
+# This could make the detection a bit more robust against possible bypasses.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
+ "id:933150,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:lowercase,\
+ msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Functions: High-Risk PHP Function Calls ]
+#
+# Some PHP function names have a certain risk of false positives, due to short
+# names, full or partial overlap with common natural language terms, uses in
+# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'.
+#
+# For these function names, we apply a regexp to look for PHP function syntax.
+# The regexp looks for a word boundary and adjoining parentheses.
+# For instance, we want to block 'eval()', but we want to allow 'medieval()'.
+#
+# We have to be careful of possible bypasses using comment syntax. Examples:
+#
+# system(...)
+# system (...)
+# system\t(...)
+# system /*comment*/ (...)
+# system /*multiline \n comment*/ (...)
+# system //comment \n (...)
+# system #comment \n (...)
+#
+# This rule is also triggered by the following exploit(s):
+# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
+# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
+# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
+#
+# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
+# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
+ "id:933160,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Object Injection ]
+#
+# PHP Object Injection is an application level vulnerability that could allow
+# an attacker to perform different kinds of malicious attacks, such as
+# Code Injection, SQL Injection, Path Traversal and Application Denial of Service,
+# depending on the context.
+#
+# The vulnerability occurs when user-supplied input is not properly sanitized
+# before being passed to the unserialize() PHP function. Since PHP allows object
+# serialization, attackers could pass ad-hoc serialized strings to a vulnerable
+# unserialize() call, resulting in an arbitrary PHP object(s) injection into the
+# application scope.
+#
+# https://www.owasp.org/index.php/PHP_Object_Injection
+#
+# In serialized form, PHP objects have the following format:
+#
+# O:8:"stdClass":1:{s:1:"a";i:2;}
+# O:3:"Foo":0:{}
+#
+# Also detected are PHP objects with a custom unserializer:
+# http://www.phpinternalsbook.com/classes_objects/serialization.html
+# These have the following format:
+#
+# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}}
+# C:3:"Foo":23:{s:15:"My private data";}
+#
+# HTTP headers are inspected, since PHP object injection vulnerabilities have been
+# found in applications parsing them:
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header)
+# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header)
+# http://karmainsecurity.com/KIS-2015-10 (Host header)
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
+ "id:933170,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'PHP Injection Attack: Serialized Object Injection',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+
+#
+# [ PHP Functions: Variable Function Calls ]
+#
+# PHP 'variable functions' provide an alternate syntax for calling PHP functions.
+# http://php.net/manual/en/functions.variable-functions.php
+#
+# An attacker may use variable function syntax to evade detection of function
+# names during exploitation of a remote code execution vulnerability.
+# An example to use the 'file_get_contents' function while evading rule 933150:
+#
+# $fn = 'file_' . 'get_' . 'contents';
+# echo $fn('wp-co' . 'nfig.php');
+#
+# Some examples from obfuscated malware:
+#
+# $OOO0000O0(...)
+# @$b374k(...)
+# $_[@-_]($_[@!+_] )
+#
+# A breakdown of the regular expression:
+#
+# \$+
+# The variable's '$' char, or multiple '$' for 'variable variables':
+# http://php.net/manual/en/language.variables.variable.php
+# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})
+# One of the following:
+# - A variable name; regexp from http://php.net/language.variables.basics
+# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'}
+# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*
+# Optional whitespace, array access, or comments
+# \(.*\)
+# Parentheses optionally containing function parameters
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
+ "id:933180,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'PHP Injection Attack: Variable Function Call Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# [ PHP Functions: Variable Function Prevent Bypass ]
+#
+# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
+# the rule 933180 could be bypassed by using the following payloads:
+#
+# - (system)('uname')
+# - (sy.(st).em)('uname')
+# - (string)"system"('uname')
+# - define('x', 'sys' . 'tem');(x)/* comment */('uname')
+# - $y = 'sys'.'tem';($y)('uname')
+# - define('z', [['sys' .'tem']]);(z)[0][0]('uname');
+# - (system)(ls)
+# - (/**/system)(ls/**/);
+# - (['system'])[0]('uname');
+# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++);
+#
+# This rule blocks all payloads above and avoids to block values like:
+#
+# - [ACME] this is a test (just a test)
+# - Test (with two) rounded (brackets)
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \
+ "id:933210,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
+ msg:'PHP Injection Attack: Variable Function Call Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+#
+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
+#
+
+#
+# [ PHP Functions: Medium-Risk PHP Function Names ]
+#
+# In paranoia level 2, we add additional checks for most PHP functions.
+#
+# The size of the PHP function list is considerable.
+# Even after excluding the more obscure PHP extensions, 1300+ functions remain.
+# For performance and maintenance reasons, this rule does not use a regexp,
+# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character
+# in the matched variable.
+#
+# This approach carries some risk for false positives. Therefore, the function list
+# has been curated to remove words closely matching natural language and terms often
+# used in other contexts.
+#
+# This rule is a stricter sibling of rule 933150.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \
+ "id:933151,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:lowercase,\
+ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/2',\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ chain"
+ SecRule MATCHED_VARS "@pm (" \
+ "capture,\
+ ctl:auditLogParts=+E,\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+#
+# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
+#
+
+#
+# [ PHP Variables: Common Variable Indexes ]
+#
+# In paranoia level 3, we add additional checks for parameters to many PHP variables.
+#
+#
+# One of the more common variables used within attacks on PHP is $_SERVER. Because
+# of how many different ways PHP has for executing variables (variable variables,
+# etc) often just looking for $_SERVER will be less effective than looking for the
+# various indexes within $_SERVER. This rule checks for these indexes.
+# This rule is located in PL 3 because often developers will use these names as
+# parameter names or values and this will lead to false positives.
+# Because this list is not expected to change and it is limited in size we use a
+# regex in this case to look for these values whereas in its sibling rule we use
+# @pmFromFile for flexibility and performance.
+#
+# To rebuild the regexp:
+# cd util/regexp-assemble
+# ./regexp-assemble.pl < regexp-933131.data
+#
+# This rule is a stricter sibling of rule 933130.
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \
+ "id:933131,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:normalisePath,t:urlDecodeUni,\
+ msg:'PHP Injection Attack: Variables Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/3',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Functions: Low-Value PHP Function Calls ]
+#
+# In paranoia level 3, we add additional checks for the remaining PHP functions.
+#
+# Most of these function names are likely to cause false positives in natural text
+# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'.
+# Therefore, these function names are not scanned in lower paranoia levels.
+#
+# To mitigate the risk of false positives somewhat, a regexp is used to look for
+# PHP function syntax. (See rule 933160 for a description.)
+#
+# This rule is a stricter sibling of rule 933160.
+#
+# This rule is also triggered by the following exploit(s):
+# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
+# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
+#
+# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
+# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
+ "id:933161,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/3',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Script Uploads: Superfluous extension ]
+#
+# Block file uploads with PHP related extensions (.php, .phps, .phtml,
+# .php5 etc) anywhere in the name, followed by a dot.
+#
+# Example: index.php.tmp
+#
+# Uploading of such files can lead to remote code execution if
+# Apache is configured with AddType and MultiViews, as Apache will
+# automatically do a filename match when the extension is unknown.
+# This configuration is fortunately not common in modern installs.
+#
+# Blocking these file names might lead to more false positives.
+#
+# Some AJAX uploaders use the nonstandard request headers X-Filename,
+# X_Filename, or X-File-Name to transmit the file name to the server;
+# scan these request headers as well as multipart/form-data file names.
+#
+# This rule is a stricter sibling of rule 933110.
+#
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
+ "id:933111,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:lowercase,\
+ msg:'PHP Injection Attack: PHP Script File Upload Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/3',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+# [ PHP Closing Tag Found ]
+#
+# http://www.php.net/manual/en/language.basic-syntax.phptags.php
+#
+# This check was extracted from 933100 (paranoia level 1), since the
+# checked sequence '?>' commonly causes false positives.
+# See issue #654 for discussion.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
+ "id:933190,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,\
+ msg:'PHP Injection Attack: PHP Closing Tag Found',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-php',\
+ tag:'platform-multi',\
+ tag:'attack-injection-php',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/3',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+#
+# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP"
diff --git a/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
new file mode 100644
index 0000000..89f495a
--- /dev/null
+++ b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
@@ -0,0 +1,96 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.3.5
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
+#
+
+
+# [ Insecure unserialization / generic RCE signatures ]
+#
+# Libraries performing insecure unserialization:
+# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941)
+# - funcster: __js_function
+#
+# See:
+# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
+# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
+#
+# Some generic snippets used:
+# - function() {
+# - new Function(
+# - eval(
+# - String.fromCharCode(
+#
+# Last two are used by nodejsshell.py,
+# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
+#
+# As base64 is sometimes (but not always) used to encode serialized values,
+# use multiMatch and t:base64decode.
+#
+# Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \
+ "id:934100,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,t:base64Decode,\
+ msg:'Node.js Injection Attack',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-javascript',\
+ tag:'platform-multi',\
+ tag:'attack-rce',\
+ tag:'attack-injection-nodejs',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ multiMatch,\
+ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
+#
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
+#
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
diff --git a/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
new file mode 100644
index 0000000..3b2376b
--- /dev/null
+++ b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -0,0 +1,885 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.3.5
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
+#
+
+
+#
+# -=[ Libinjection - XSS Detection ]=-
+#
+# Ref: https://github.com/client9/libinjection
+# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss
+#
+# -=[ Targets ]=-
+#
+# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
+# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|
+# ARGS_NAMES|ARGS|XML:/*
+#
+# 941101: PL2 : REQUEST_HEADERS:Referer
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
+ "id:941100,\
+ phase:2,\
+ block,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Attack Detected via libinjection',\
+ logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ XSS Filters - Category 1 ]=-
+# http://xssplayground.net23.net/xssfilter.html
+# script tag based XSS vectors, e.g.,
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \
+ "id:941110,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Filter - Category 1: Script Tag Vector',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ XSS Filters - Category 2 ]=-
+# XSS vectors making use of event handlers like onerror, onload etc, e.g.,
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \
+ "id:941120,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Filter - Category 2: Event Handler Vector',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ XSS Filters - Category 3 ]=-
+#
+# Regexp generated from util/regexp-assemble/regexp-941130.data using Regexp::Assemble.
+# To rebuild the regexp:
+# cd util/regexp-assemble
+# ./regexp-assemble.pl regexp-941130.data
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \
+ "id:941130,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Filter - Category 3: Attribute Vector',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ XSS Filters - Category 4 ]=-
+# XSS vectors making use of javascript uri and tags, e.g.,
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \
+ "id:941140,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Filter - Category 4: Javascript URI Vector',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ NoScript XSS Filters ]=-
+# Ref: http://noscript.net/
+#
+# [NoScript InjectionChecker] HTML injection
+#
+# Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble.
+# To rebuild the regexp:
+# cd util/regexp-assemble
+# ./regexp-assemble.pl regexp-941160.data
+# Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output:
+# Add ignore case flag between '?' and ':': "(?i:...)"
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \
+ "id:941160,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'NoScript XSS InjectionChecker: HTML Injection',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [NoScript InjectionChecker] Attributes injection
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \
+ "id:941170,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'NoScript XSS InjectionChecker: Attribute Injection',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [Blacklist Keywords from Node-Validator]
+# https://raw.github.com/chriso/node-validator/master/validator.js
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding .*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \
+ "id:941190,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'IE XSS Filters - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
+ "id:941200,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'IE XSS Filters - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
+ "id:941210,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'IE XSS Filters - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
+ "id:941220,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'IE XSS Filters - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]" \
+ "id:941290,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'IE XSS Filters - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*[\xbe>]|<[^\xbe]*\xbe" \
+ "id:941310,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+ msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-tomcat',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# https://nedbatchelder.com/blog/200704/xss_with_utf7.html
+# UTF-7 encoding XSS filter evasion for IE.
+# Reported by Vladimir Ivanov
+#
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \
+ "id:941350,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+ msg:'UTF-7 Encoding IE XSS - Attack Detected',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-internet-explorer',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code
+#
+# https://en.wikipedia.org/wiki/JSFuck
+# https://github.com/alcuadrado/hieroglyphy
+#
+# These JS obfuscations mostly aim for client side XSS exploits, hence the
+# integration of this rule into the XSS rule group. But serverside JS could
+# also be attacked via these techniques.
+#
+# Detection pattern / Core elements of JSFuck and Hieroglyphy are the
+# following two items:
+# !![]
+# !+[]
+#
+# ModSecurity always transforms "+" into " " with query strings and the
+# URLENCODE body processor (but not for JSON). So we need to check for
+# the following patterns:
+# !![]
+# !+[]
+# ! []
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \
+ "id:941360,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,\
+ msg:'JSFuck / Hieroglyphy obfuscation detected',\
+ logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242/63',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# Prevent 941180 bypass by using JavaScript global variables
+# Refer to: https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
+#
+# Examples:
+# - /?search=/?a=";+alert(self["document"]["cookie"]);//
+# - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;//
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \
+ "id:941370,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:urlDecodeUni,t:compressWhitespace,\
+ msg:'JavaScript global variable found',\
+ logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'attack-xss',\
+ tag:'paranoia-level/1',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242/63',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+#
+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
+#
+
+#
+# This is a stricter sibling of rule 941100.
+#
+SecRule REQUEST_HEADERS:Referer "@detectXSS" \
+ "id:941101,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Attack Detected via libinjection',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/2',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ XSS Filters - Category 5 ]=-
+# HTML attributes - src, style and href
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
+ "id:941150,\
+ phase:2,\
+ block,\
+ capture,\
+ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
+ msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-xss',\
+ tag:'OWASP_CRS',\
+ tag:'capec/1000/152/242',\
+ tag:'paranoia-level/2',\
+ ctl:auditLogParts=+E,\
+ ver:'OWASP_CRS/3.3.5',\
+ severity:'CRITICAL',\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+
+# Detect tags that are the most common direct HTML injection points.
+#
+#
+#