@abtnode/router-provider 1.16.38-beta-20250115-235439-bb5a1c1b → 1.16.38-beta-20250118-033334-2da05ae8

package/lib/nginx/includes/security/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf

@@ -0,0 +1,558 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+
+#
+# -=[ HTTP Request Smuggling ]=-
+#
+# [ Rule Logic ]
+# This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character.
+# This would point to an attempt to inject a 2nd request into the request, thus bypassing
+# tests carried out on the primary request.
+#
+# [ References ]
+# http://projects.webappsec.org/HTTP-Request-Smuggling
+#
+SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" \
+    "id:921110,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
+    msg:'HTTP Request Smuggling Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# -=[ HTTP Response Splitting ]=-
+#
+# [ Rule Logic ]
+# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
+# These characters may cause problems if the data is returned in a response header and
+# may be interpreted by an intermediary proxy server and treated as two separate
+# responses.
+#
+# [ References ]
+# http://projects.webappsec.org/HTTP-Response-Splitting
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \
+    "id:921120,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'HTTP Response Splitting Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/34',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \
+    "id:921130,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
+    msg:'HTTP Response Splitting Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/34',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# -=[ HTTP Header Injection ]=-
+#
+# [ Rule Logic ]
+# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
+# on their own or in combination with header field names.
+# These characters may cause problems if the data is returned in a response header
+# and interpreted by the client.
+# The rules are similar to rules defending against the HTTP Request Splitting and
+# Request Smuggling rules.
+#
+# [ References ]
+# https://en.wikipedia.org/wiki/HTTP_header_injection
+#
+SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
+    "id:921140,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,\
+    msg:'HTTP Header Injection Attack via headers',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/273',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+# Detect newlines in argument names.
+# Checking for GET arguments has been moved to paranoia level 2 (921151)
+# in order to mitigate possible false positives.
+#
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
+SecRule ARGS_NAMES "@rx [\n\r]" \
+    "id:921150,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,\
+    msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
+    "id:921160,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
+    msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+# -=[ HTTP Splitting ]=-
+#
+# This rule detect \n or \r in the REQUEST FILENAME
+# Reference: https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
+# Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
+#
+SecRule REQUEST_FILENAME "@rx [\n\r]" \
+    "id:921190,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'HTTP Splitting (CR/LF in request filename detected)',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/34',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# -=[ LDAP Injection ]=-
+#
+# [ Rule Logic ]
+#
+# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada
+# and regex writing by Denis Kolegov.
+#
+# [ References ]
+# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
+# * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
+# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \
+    "id:921200,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,\
+    msg:'LDAP Injection Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-ldap',\
+    tag:'platform-multi',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/136',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# -=[ Body Processor Bypass ]=-
+#
+# [ Rule Logic ]
+#
+# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
+# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used.
+#
+# Regular expression generated from regex-assembly/921421.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 921421
+#
+SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \
+    "id:921421,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# Rule against CVE-2021-40438:
+# A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.
+# This issue affects Apache HTTP Server 2.4.48 and earlier.
+# GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/
+#
+SecRule REQUEST_URI "@rx unix:[^|]*\|" \
+    "id:921240,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:urlDecodeUni,t:lowercase,\
+    msg:'mod_proxy attack attempt detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-apache',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+
+
+# Detect newlines in GET argument values.
+# These may point to a HTTP header injection attack, but can also sometimes
+# occur in benign query parameters.
+#
+# See also: rule 921140, 921150
+#
+SecRule ARGS_GET "@rx [\n\r]" \
+    "id:921151,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,\
+    msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+#
+# -=[ Body Processor Bypass ]=-
+#
+# [ Rule Logic ]
+#
+# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
+#
+# [ References ]
+# * See rule 921422
+#
+# Regular expression generated from regex-assembly/921422.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 921422
+#
+SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \
+    "id:921422,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+#
+
+# Forbid Request Range Header
+#
+# It is possible abuse the HTTP Request Range Header to leak error pages
+# and other information in very small snippets.
+# The easiest way to fight this is to deny the use of this header.
+# This is a viable option since the header is only used in rare circumstances
+# anymore.
+# If it is necessary to use it in a certain setup, then it is best to
+# create a rule exclusion for a given URI and this rule ID as a workaround.
+#
+SecRule &REQUEST_HEADERS:Range "@gt 0" \
+    "id:921230,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'HTTP Range Header detected',\
+    logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272/220',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+# -=[ HTTP Parameter Pollution ]=-
+#
+# [ Rule Logic ]
+# These rules look for multiple parameters with the same name.
+# 921170 counts the occurrences of the individual parameters.
+# 921180 checks if any counter is > 1.
+#
+# One HPP attack vector is to try evade signature filters by distributing the
+# attack payload across multiple parameters with the same name.
+# This works as many security devices only apply signatures to individual
+# parameter payloads, however the back-end web application may (in the case
+# of ASP.NET) consolidate all of the payloads into one thus making the
+# attack payload active.
+#
+# [ References ]
+# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
+# https://capec.mitre.org/data/definitions/460.html
+#
+SecRule ARGS_NAMES "@rx ." \
+    "id:921170,\
+    phase:2,\
+    pass,\
+    nolog,\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/137/15/460',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
+
+SecRule TX:/paramcounter_.*/ "@gt 1" \
+    "id:921180,\
+    phase:2,\
+    pass,\
+    msg:'HTTP Parameter Pollution (%{MATCHED_VAR_NAME})',\
+    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/137/15/460',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+# -=[ HTTP Parameter Pollution ]=-
+#
+# [ Rule Logic ]
+# Parameter pollution rule 921180 PL3 can by bypassed when a weak backend parameter
+# parser is ignoring additional characters in a parameter array name after the
+# closing of the array.
+# Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has
+# been closed or inbetween the square brackets in multidimensional arrays.
+# Please note that rule 921210 allows for 2-dimensional, but not for higher dimensional
+# arrays. If these are flagged as attacks, a rule exclusion will have to be
+# deployed; ideally for the parameter(s) in question.
+#
+# [ References ]
+# Private bug bounty in Spring 2022, findings Z05OZUCH.
+#
+# [ Payloads ]
+# * foo[1]a=bar&foo[1]b=<evil> - parameter parsers often cut after the closing of
+#   the array. 921180 PL3 takes the full name, though.
+#   This impediance mismatch allows for bypasses.
+# * foo[1]x[1]=bar&foo[1]x[2]=<evil> - extension of 1; this has the advantage that
+#   the parameter name does end with "]" just like a valid array notation.
+#
+SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
+    "id:921210,\
+    phase:2,\
+    pass,\
+    log,\
+    msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/137/15/460',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+
+# -=[ HTTP Parameter Pollution ]=-
+#
+# [ Rule Logic ]
+# Parameter pollution rule 921180 PL3 and 921210 PL3 can by bypassed if a
+# weak backend parameter parser ignores parameter array alltogether at
+# cuts parameter names at the first occurrence of the "[" character.
+# The rule 921220 PL4 prevents this by disallowing parameter array names.
+#
+# If an application needs parameter array names, then this rule should be
+# disabled, ideally by issueing a rule exclusion for the parameter names
+# that need it.
+#
+# [ References ]
+# Private bug bounty in Spring 2022, finding 5UXE4RK0.
+#
+# [ Payloads ]
+# * foo[1]=bar&foo[2]=<evil>
+# * foo=bar&foo[1]=<evil>
+# * foo[1]=bar&foo[1]acb]=<evil> - this is an edge case that 921210 PL3 is not
+#   able to catch since the parameter name ends with "]".
+#
+SecRule ARGS_NAMES "@rx \[" \
+    "id:921220,\
+    phase:2,\
+    pass,\
+    log,\
+    msg:'HTTP Parameter Pollution possible via array notation',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/4',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/137/15/460',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"

package/lib/nginx/includes/security/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf

@@ -0,0 +1,120 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+# This file is to address the 3UWMWA6W vulnerability.
+# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
+# of the security fixes in these versions) or a compatible engine supporting these changes.
+#
+# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
+# In that case, you can temporarily delete this file. However, you will be missing
+# protection from these rules. Therefore, we recommend upgrading your engine instead.
+
+# The rules in this file will be part of the 920 / 921 in the future.
+
+# Only allow specific charsets when using "_charset_"
+# Note: this is in phase:2 because these are headers that come in the body
+SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
+    "id:922100,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Multipart content type global _charset_ definition is not allowed by policy',\
+    logdata:'Matched Data: %{ARGS._charset_}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-multipart-header',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
+    chain"
+    SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \
+        "t:lowercase,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+# Only allow specific charsets same as Rule 920600
+# Note: this is in phase:2 because these are headers that come in the body
+#
+# Regular expression generated from regex-assembly/922110-chain1.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 922110-chain1
+SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
+    "id:922110,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Illegal MIME Multipart Header content-type: charset parameter',\
+    logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/272/220',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
+        "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
+# Note: this is in phase:2 because these are headers that come in the body
+SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
+    "id:922120,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\
+    logdata:'Matched Data: %{TX.0}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-deprecated-header',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/272/220',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Multipart header names can't contain any characters outside of range 33 and 126,
+# excluding 58 (':') which is the separator.
+# RFC 2045 refers RFC 822 about the header syntax.
+# Note: this is in phase:2 because these are headers that come in the body
+SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
+    "id:922130,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Multipart header contains characters outside of valid range',\
+    logdata:'Matched Data: %{TX.0}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-multipart-header',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/272/220',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"