@abtnode/router-provider 1.16.46-beta-20250703-024219-4029ee97 → 1.16.46-beta-20250704-234926-09d872ad

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +1 -1
  2. package/lib/nginx/includes/security/crs4/rules/REQUEST-901-INITIALIZATION.conf +42 -40
  3. package/lib/nginx/includes/security/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +4 -4
  4. package/lib/nginx/includes/security/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +12 -11
  5. package/lib/nginx/includes/security/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf +12 -11
  6. package/lib/nginx/includes/security/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +127 -148
  7. package/lib/nginx/includes/security/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf +80 -35
  8. package/lib/nginx/includes/security/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf +12 -6
  9. package/lib/nginx/includes/security/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +22 -17
  10. package/lib/nginx/includes/security/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +20 -15
  11. package/lib/nginx/includes/security/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +254 -86
  12. package/lib/nginx/includes/security/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +172 -65
  13. package/lib/nginx/includes/security/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +65 -29
  14. package/lib/nginx/includes/security/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +114 -78
  15. package/lib/nginx/includes/security/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +182 -120
  16. package/lib/nginx/includes/security/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +19 -16
  17. package/lib/nginx/includes/security/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +48 -34
  18. package/lib/nginx/includes/security/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf +30 -30
  19. package/lib/nginx/includes/security/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf +20 -15
  20. package/lib/nginx/includes/security/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +47 -29
  21. package/lib/nginx/includes/security/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +15 -36
  22. package/lib/nginx/includes/security/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +20 -15
  23. package/lib/nginx/includes/security/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +22 -17
  24. package/lib/nginx/includes/security/crs4/rules/RESPONSE-955-WEB-SHELLS.conf +92 -43
  25. package/lib/nginx/includes/security/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +30 -30
  26. package/lib/nginx/includes/security/crs4/rules/RESPONSE-980-CORRELATION.conf +23 -23
  27. package/lib/nginx/includes/security/crs4/rules/java-classes.data +11 -0
  28. package/lib/nginx/includes/security/crs4/rules/lfi-os-files.data +227 -15
  29. package/lib/nginx/includes/security/crs4/rules/php-function-names-933150.data +0 -7
  30. package/lib/nginx/includes/security/crs4/rules/restricted-files.data +250 -29
  31. package/lib/nginx/includes/security/crs4/rules/restricted-upload.data +200 -26
  32. package/lib/nginx/includes/security/crs4/rules/unix-shell-builtins.data +20 -0
  33. package/lib/nginx/includes/security/crs4/rules/unix-shell.data +39 -18
  34. package/lib/nginx/includes/security/crs4/rules/web-shells-asp.data +23 -0
  35. package/package.json +9 -9
package/lib/nginx/includes/security/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf CHANGED
@@ -1,7 +1,7 @@
1
1
  # ------------------------------------------------------------------------
2
- # OWASP CRS ver.4.9.0
2
+ # OWASP CRS ver.4.16.0
3
3
  # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
4
- # Copyright (c) 2021-2024 CRS project. All rights reserved.
4
+ # Copyright (c) 2021-2025 CRS project. All rights reserved.
5
5
  #
6
6
  # The OWASP CRS is distributed under
7
7
  # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
14
14
 
15
15
 
16
16
 
17
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
18
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
17
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
18
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
19
19
  #
20
20
  # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
21
21
  #
@@ -61,8 +61,9 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
61
61
  t:none,\
62
62
  nolog,\
63
63
  tag:'OWASP_CRS',\
64
+ tag:'OWASP_CRS/ATTACK-XSS',\
64
65
  ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
65
- ver:'OWASP_CRS/4.9.0'"
66
+ ver:'OWASP_CRS/4.16.0'"
66
67
 
67
68
 
68
69
  #
@@ -73,13 +74,13 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
73
74
  #
74
75
  # -=[ Targets ]=-
75
76
  #
76
- # 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
77
+ # 941100: PL1 : REQUEST_COOKIES|
77
78
  # REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|
78
79
  # ARGS_NAMES|ARGS|XML:/*
79
80
  #
80
81
  # 941101: PL2 : REQUEST_FILENAME|REQUEST_HEADERS:Referer
81
82
  #
82
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
83
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
83
84
  "id:941100,\
84
85
  phase:2,\
85
86
  block,\
@@ -93,8 +94,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
93
94
  tag:'xss-perf-disable',\
94
95
  tag:'paranoia-level/1',\
95
96
  tag:'OWASP_CRS',\
97
+ tag:'OWASP_CRS/ATTACK-XSS',\
96
98
  tag:'capec/1000/152/242',\
97
- ver:'OWASP_CRS/4.9.0',\
99
+ ver:'OWASP_CRS/4.16.0',\
98
100
  severity:'CRITICAL',\
99
101
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
100
102
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -105,7 +107,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
105
107
  # http://xssplayground.net23.net/xssfilter.html
106
108
  # script tag based XSS vectors, e.g., <script> alert(1)</script>
107
109
  #
108
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \
110
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \
109
111
  "id:941110,\
110
112
  phase:2,\
111
113
  block,\
@@ -120,8 +122,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
120
122
  tag:'xss-perf-disable',\
121
123
  tag:'paranoia-level/1',\
122
124
  tag:'OWASP_CRS',\
125
+ tag:'OWASP_CRS/ATTACK-XSS',\
123
126
  tag:'capec/1000/152/242',\
124
- ver:'OWASP_CRS/4.9.0',\
127
+ ver:'OWASP_CRS/4.16.0',\
125
128
  severity:'CRITICAL',\
126
129
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
127
130
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -135,7 +138,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
135
138
  # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
136
139
  # crs-toolchain regex update 941130
137
140
  #
138
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \
141
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\b|pattern[\s\x0b]*=)|(?:!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b)" \
139
142
  "id:941130,\
140
143
  phase:2,\
141
144
  block,\
@@ -150,8 +153,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
150
153
  tag:'xss-perf-disable',\
151
154
  tag:'paranoia-level/1',\
152
155
  tag:'OWASP_CRS',\
156
+ tag:'OWASP_CRS/ATTACK-XSS',\
153
157
  tag:'capec/1000/152/242',\
154
- ver:'OWASP_CRS/4.9.0',\
158
+ ver:'OWASP_CRS/4.16.0',\
155
159
  severity:'CRITICAL',\
156
160
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
157
161
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -164,7 +168,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
164
168
  # https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#behaviors-for-older-modes-of-ie
165
169
  # examples: https://regex101.com/r/FFEpsh/1
166
170
  #
167
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" \
171
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" \
168
172
  "id:941140,\
169
173
  phase:2,\
170
174
  block,\
@@ -179,8 +183,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
179
183
  tag:'xss-perf-disable',\
180
184
  tag:'paranoia-level/1',\
181
185
  tag:'OWASP_CRS',\
186
+ tag:'OWASP_CRS/ATTACK-XSS',\
182
187
  tag:'capec/1000/152/242',\
183
- ver:'OWASP_CRS/4.9.0',\
188
+ ver:'OWASP_CRS/4.16.0',\
184
189
  severity:'CRITICAL',\
185
190
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
186
191
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -197,7 +202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
197
202
  # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
198
203
  # crs-toolchain regex update 941160
199
204
  #
200
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
205
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z][^\s\x0b/]*[\s\x0b/]|[\"'](?:[^\s\x0b/]*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
201
206
  "id:941160,\
202
207
  phase:2,\
203
208
  block,\
@@ -212,8 +217,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
212
217
  tag:'xss-perf-disable',\
213
218
  tag:'paranoia-level/1',\
214
219
  tag:'OWASP_CRS',\
220
+ tag:'OWASP_CRS/ATTACK-XSS',\
215
221
  tag:'capec/1000/152/242',\
216
- ver:'OWASP_CRS/4.9.0',\
222
+ ver:'OWASP_CRS/4.16.0',\
217
223
  severity:'CRITICAL',\
218
224
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
219
225
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -222,7 +228,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
222
228
  #
223
229
  # [NoScript InjectionChecker] Attributes injection
224
230
  #
225
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \
231
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \
226
232
  "id:941170,\
227
233
  phase:2,\
228
234
  block,\
@@ -237,8 +243,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
237
243
  tag:'xss-perf-disable',\
238
244
  tag:'paranoia-level/1',\
239
245
  tag:'OWASP_CRS',\
246
+ tag:'OWASP_CRS/ATTACK-XSS',\
240
247
  tag:'capec/1000/152/242',\
241
- ver:'OWASP_CRS/4.9.0',\
248
+ ver:'OWASP_CRS/4.16.0',\
242
249
  severity:'CRITICAL',\
243
250
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
244
251
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -249,7 +256,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
249
256
  # https://github.com/validatorjs/validator.js/
250
257
  # This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->"
251
258
  #
252
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" \
259
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.querySelector document.body.appendChild document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" \
253
260
  "id:941180,\
254
261
  phase:2,\
255
262
  block,\
@@ -264,8 +271,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
264
271
  tag:'xss-perf-disable',\
265
272
  tag:'paranoia-level/1',\
266
273
  tag:'OWASP_CRS',\
274
+ tag:'OWASP_CRS/ATTACK-XSS',\
267
275
  tag:'capec/1000/152/242',\
268
- ver:'OWASP_CRS/4.9.0',\
276
+ ver:'OWASP_CRS/4.16.0',\
269
277
  severity:'CRITICAL',\
270
278
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
271
279
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -276,7 +284,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
276
284
  # Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
277
285
  # Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
278
286
  #
279
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<style.*?>.*?(?:@[i\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\x5c]|&#x?0*(?:40|28|92|5C);?)))" \
287
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<style.*?>.*?(?:@[i\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\x5c]|&#x?0*(?:40|28|92|5C);?)))" \
280
288
  "id:941190,\
281
289
  phase:2,\
282
290
  block,\
@@ -291,14 +299,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
291
299
  tag:'xss-perf-disable',\
292
300
  tag:'paranoia-level/1',\
293
301
  tag:'OWASP_CRS',\
302
+ tag:'OWASP_CRS/ATTACK-XSS',\
294
303
  tag:'capec/1000/152/242',\
295
- ver:'OWASP_CRS/4.9.0',\
304
+ ver:'OWASP_CRS/4.16.0',\
296
305
  severity:'CRITICAL',\
297
306
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
298
307
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
299
308
 
300
309
 
301
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
310
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
302
311
  "id:941200,\
303
312
  phase:2,\
304
313
  block,\
@@ -313,20 +322,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
313
322
  tag:'xss-perf-disable',\
314
323
  tag:'paranoia-level/1',\
315
324
  tag:'OWASP_CRS',\
325
+ tag:'OWASP_CRS/ATTACK-XSS',\
316
326
  tag:'capec/1000/152/242',\
317
- ver:'OWASP_CRS/4.9.0',\
327
+ ver:'OWASP_CRS/4.16.0',\
318
328
  severity:'CRITICAL',\
319
329
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
320
330
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
321
331
 
322
332
 
323
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
333
+ # This rule tries to match all the possible ways to write 'javascript' using
334
+ # html entities, and javascript escape sequences.
335
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
324
336
  "id:941210,\
325
337
  phase:2,\
326
338
  block,\
327
339
  capture,\
328
340
  t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
329
- msg:'IE XSS Filters - Attack Detected',\
341
+ msg:'Javascript Word Detected',\
330
342
  logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
331
343
  tag:'application-multi',\
332
344
  tag:'language-multi',\
@@ -335,14 +347,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
335
347
  tag:'xss-perf-disable',\
336
348
  tag:'paranoia-level/1',\
337
349
  tag:'OWASP_CRS',\
350
+ tag:'OWASP_CRS/ATTACK-XSS',\
338
351
  tag:'capec/1000/152/242',\
339
- ver:'OWASP_CRS/4.9.0',\
352
+ ver:'OWASP_CRS/4.16.0',\
340
353
  severity:'CRITICAL',\
341
354
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
342
355
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
343
356
 
344
357
 
345
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
358
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
346
359
  "id:941220,\
347
360
  phase:2,\
348
361
  block,\
@@ -357,14 +370,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
357
370
  tag:'xss-perf-disable',\
358
371
  tag:'paranoia-level/1',\
359
372
  tag:'OWASP_CRS',\
373
+ tag:'OWASP_CRS/ATTACK-XSS',\
360
374
  tag:'capec/1000/152/242',\
361
- ver:'OWASP_CRS/4.9.0',\
375
+ ver:'OWASP_CRS/4.16.0',\
362
376
  severity:'CRITICAL',\
363
377
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
364
378
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
365
379
 
366
380
 
367
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
381
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
368
382
  "id:941230,\
369
383
  phase:2,\
370
384
  block,\
@@ -379,14 +393,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
379
393
  tag:'xss-perf-disable',\
380
394
  tag:'paranoia-level/1',\
381
395
  tag:'OWASP_CRS',\
396
+ tag:'OWASP_CRS/ATTACK-XSS',\
382
397
  tag:'capec/1000/152/242',\
383
- ver:'OWASP_CRS/4.9.0',\
398
+ ver:'OWASP_CRS/4.16.0',\
384
399
  severity:'CRITICAL',\
385
400
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
386
401
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
387
402
 
388
403
 
389
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <[?]?import[\s/+\S]*?implementation[\s/+]*?=" \
404
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <[?]?import[\s/+\S]*?implementation[\s/+]*?=" \
390
405
  "id:941240,\
391
406
  phase:2,\
392
407
  block,\
@@ -401,14 +416,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
401
416
  tag:'xss-perf-disable',\
402
417
  tag:'paranoia-level/1',\
403
418
  tag:'OWASP_CRS',\
419
+ tag:'OWASP_CRS/ATTACK-XSS',\
404
420
  tag:'capec/1000/152/242',\
405
- ver:'OWASP_CRS/4.9.0',\
421
+ ver:'OWASP_CRS/4.16.0',\
406
422
  severity:'CRITICAL',\
407
423
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
408
424
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
409
425
 
410
426
 
411
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
427
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
412
428
  "id:941250,\
413
429
  phase:2,\
414
430
  block,\
@@ -423,14 +439,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
423
439
  tag:'xss-perf-disable',\
424
440
  tag:'paranoia-level/1',\
425
441
  tag:'OWASP_CRS',\
442
+ tag:'OWASP_CRS/ATTACK-XSS',\
426
443
  tag:'capec/1000/152/242',\
427
- ver:'OWASP_CRS/4.9.0',\
444
+ ver:'OWASP_CRS/4.16.0',\
428
445
  severity:'CRITICAL',\
429
446
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
430
447
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
431
448
 
432
449
 
433
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
450
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
434
451
  "id:941260,\
435
452
  phase:2,\
436
453
  block,\
@@ -445,14 +462,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
445
462
  tag:'xss-perf-disable',\
446
463
  tag:'paranoia-level/1',\
447
464
  tag:'OWASP_CRS',\
465
+ tag:'OWASP_CRS/ATTACK-XSS',\
448
466
  tag:'capec/1000/152/242',\
449
- ver:'OWASP_CRS/4.9.0',\
467
+ ver:'OWASP_CRS/4.16.0',\
450
468
  severity:'CRITICAL',\
451
469
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
452
470
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
453
471
 
454
472
 
455
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
473
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
456
474
  "id:941270,\
457
475
  phase:2,\
458
476
  block,\
@@ -467,14 +485,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
467
485
  tag:'xss-perf-disable',\
468
486
  tag:'paranoia-level/1',\
469
487
  tag:'OWASP_CRS',\
488
+ tag:'OWASP_CRS/ATTACK-XSS',\
470
489
  tag:'capec/1000/152/242',\
471
- ver:'OWASP_CRS/4.9.0',\
490
+ ver:'OWASP_CRS/4.16.0',\
472
491
  severity:'CRITICAL',\
473
492
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
474
493
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
475
494
 
476
495
 
477
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
496
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
478
497
  "id:941280,\
479
498
  phase:2,\
480
499
  block,\
@@ -489,14 +508,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
489
508
  tag:'xss-perf-disable',\
490
509
  tag:'paranoia-level/1',\
491
510
  tag:'OWASP_CRS',\
511
+ tag:'OWASP_CRS/ATTACK-XSS',\
492
512
  tag:'capec/1000/152/242',\
493
- ver:'OWASP_CRS/4.9.0',\
513
+ ver:'OWASP_CRS/4.16.0',\
494
514
  severity:'CRITICAL',\
495
515
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
496
516
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
497
517
 
498
518
 
499
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<APPLET[\s/+>]" \
519
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<APPLET[\s/+>]" \
500
520
  "id:941290,\
501
521
  phase:2,\
502
522
  block,\
@@ -511,14 +531,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
511
531
  tag:'xss-perf-disable',\
512
532
  tag:'paranoia-level/1',\
513
533
  tag:'OWASP_CRS',\
534
+ tag:'OWASP_CRS/ATTACK-XSS',\
514
535
  tag:'capec/1000/152/242',\
515
- ver:'OWASP_CRS/4.9.0',\
536
+ ver:'OWASP_CRS/4.16.0',\
516
537
  severity:'CRITICAL',\
517
538
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
518
539
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
519
540
 
520
541
 
521
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
542
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
522
543
  "id:941300,\
523
544
  phase:2,\
524
545
  block,\
@@ -533,8 +554,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
533
554
  tag:'xss-perf-disable',\
534
555
  tag:'paranoia-level/1',\
535
556
  tag:'OWASP_CRS',\
557
+ tag:'OWASP_CRS/ATTACK-XSS',\
536
558
  tag:'capec/1000/152/242',\
537
- ver:'OWASP_CRS/4.9.0',\
559
+ ver:'OWASP_CRS/4.16.0',\
538
560
  severity:'CRITICAL',\
539
561
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
540
562
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -578,7 +600,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
578
600
  # US-ASCII on Wikipedia: https://en.wikipedia.org/wiki/ASCII
579
601
  # ISO 8859-1 on Wikipedia: https://en.wikipedia.org/wiki/ISO/IEC_8859-1
580
602
 
581
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
603
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
582
604
  "id:941310,\
583
605
  phase:2,\
584
606
  block,\
@@ -593,8 +615,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
593
615
  tag:'xss-perf-disable',\
594
616
  tag:'paranoia-level/1',\
595
617
  tag:'OWASP_CRS',\
618
+ tag:'OWASP_CRS/ATTACK-XSS',\
596
619
  tag:'capec/1000/152/242',\
597
- ver:'OWASP_CRS/4.9.0',\
620
+ ver:'OWASP_CRS/4.16.0',\
598
621
  severity:'CRITICAL',\
599
622
  chain"
600
623
  SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
@@ -607,7 +630,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
607
630
  # Reported by Vladimir Ivanov
608
631
  #
609
632
 
610
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \
633
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \
611
634
  "id:941350,\
612
635
  phase:2,\
613
636
  block,\
@@ -622,8 +645,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
622
645
  tag:'xss-perf-disable',\
623
646
  tag:'paranoia-level/1',\
624
647
  tag:'OWASP_CRS',\
648
+ tag:'OWASP_CRS/ATTACK-XSS',\
625
649
  tag:'capec/1000/152/242',\
626
- ver:'OWASP_CRS/4.9.0',\
650
+ ver:'OWASP_CRS/4.16.0',\
627
651
  severity:'CRITICAL',\
628
652
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
629
653
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -650,7 +674,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
650
674
  # !+[]
651
675
  # ! []
652
676
 
653
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx ![!+ ]\[\]" \
677
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx ![!+ ]\[\]" \
654
678
  "id:941360,\
655
679
  phase:2,\
656
680
  block,\
@@ -664,8 +688,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
664
688
  tag:'xss-perf-disable',\
665
689
  tag:'paranoia-level/1',\
666
690
  tag:'OWASP_CRS',\
691
+ tag:'OWASP_CRS/ATTACK-XSS',\
667
692
  tag:'capec/1000/152/242/63',\
668
- ver:'OWASP_CRS/4.9.0',\
693
+ ver:'OWASP_CRS/4.16.0',\
669
694
  severity:'CRITICAL',\
670
695
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
671
696
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -678,7 +703,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
678
703
  # - /?search=/?a=";+alert(self["document"]["cookie"]);//
679
704
  # - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;//
680
705
  #
681
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \
706
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \
682
707
  "id:941370,\
683
708
  phase:2,\
684
709
  block,\
@@ -692,8 +717,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
692
717
  tag:'xss-perf-disable',\
693
718
  tag:'paranoia-level/1',\
694
719
  tag:'OWASP_CRS',\
720
+ tag:'OWASP_CRS/ATTACK-XSS',\
695
721
  tag:'capec/1000/152/242/63',\
696
- ver:'OWASP_CRS/4.9.0',\
722
+ ver:'OWASP_CRS/4.16.0',\
697
723
  severity:'CRITICAL',\
698
724
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
699
725
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -710,7 +736,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
710
736
  # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
711
737
  # crs-toolchain regex update 941390
712
738
  #
713
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(" \
739
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole\.(?:log|dir))|fetch)[\s\x0b]*[\(\{]" \
714
740
  "id:941390,\
715
741
  phase:2,\
716
742
  block,\
@@ -724,8 +750,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
724
750
  tag:'xss-perf-disable',\
725
751
  tag:'paranoia-level/1',\
726
752
  tag:'OWASP_CRS',\
753
+ tag:'OWASP_CRS/ATTACK-XSS',\
727
754
  tag:'capec/1000/152/242',\
728
- ver:'OWASP_CRS/4.9.0',\
755
+ ver:'OWASP_CRS/4.16.0',\
729
756
  severity:'CRITICAL',\
730
757
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
731
758
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -740,7 +767,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
740
767
  # [].map.call`${eval}\\u{61}lert\x281337\x29`
741
768
  # Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
742
769
  #
743
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx ((?:\[[^\]]*\][^.]*\.)|Reflect[^.]*\.).*(?:map|sort|apply)[^.]*\..*call[^`]*`.*`" \
770
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx ((?:\[[^\]]*\][^.]*\.)|Reflect[^.]*\.).*(?:map|sort|apply)[^.]*\..*call[^`]*`.*`" \
744
771
  "id:941400,\
745
772
  phase:2,\
746
773
  block,\
@@ -754,15 +781,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
754
781
  tag:'xss-perf-disable',\
755
782
  tag:'paranoia-level/1',\
756
783
  tag:'OWASP_CRS',\
784
+ tag:'OWASP_CRS/ATTACK-XSS',\
757
785
  tag:'capec/1000/152/242',\
758
- ver:'OWASP_CRS/4.9.0',\
786
+ ver:'OWASP_CRS/4.16.0',\
759
787
  severity:'CRITICAL',\
760
788
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
761
789
  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
762
790
 
763
791
 
764
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
765
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
792
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
793
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
766
794
  #
767
795
  # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
768
796
  #
@@ -785,8 +813,9 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
785
813
  tag:'xss-perf-disable',\
786
814
  tag:'paranoia-level/2',\
787
815
  tag:'OWASP_CRS',\
816
+ tag:'OWASP_CRS/ATTACK-XSS',\
788
817
  tag:'capec/1000/152/242',\
789
- ver:'OWASP_CRS/4.9.0',\
818
+ ver:'OWASP_CRS/4.16.0',\
790
819
  severity:'CRITICAL',\
791
820
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
792
821
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -804,7 +833,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
804
833
  #
805
834
  # This rule has been moved to PL2 since it has a tendency to trigger on random input.
806
835
  #
807
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
836
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
808
837
  "id:941120,\
809
838
  phase:2,\
810
839
  block,\
@@ -819,8 +848,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
819
848
  tag:'xss-perf-disable',\
820
849
  tag:'paranoia-level/2',\
821
850
  tag:'OWASP_CRS',\
851
+ tag:'OWASP_CRS/ATTACK-XSS',\
822
852
  tag:'capec/1000/152/242',\
823
- ver:'OWASP_CRS/4.9.0',\
853
+ ver:'OWASP_CRS/4.16.0',\
824
854
  severity:'CRITICAL',\
825
855
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
826
856
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -830,7 +860,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
830
860
  # -=[ XSS Filters - Category 5 ]=-
831
861
  # HTML attributes - src, style and href
832
862
  #
833
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
863
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
834
864
  "id:941150,\
835
865
  phase:2,\
836
866
  block,\
@@ -845,8 +875,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
845
875
  tag:'xss-perf-disable',\
846
876
  tag:'paranoia-level/2',\
847
877
  tag:'OWASP_CRS',\
878
+ tag:'OWASP_CRS/ATTACK-XSS',\
848
879
  tag:'capec/1000/152/242',\
849
- ver:'OWASP_CRS/4.9.0',\
880
+ ver:'OWASP_CRS/4.16.0',\
850
881
  severity:'CRITICAL',\
851
882
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
852
883
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -858,7 +889,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
858
889
  # https://github.com/validatorjs/validator.js/
859
890
  # This rule is a stricter sibling of 941180 (PL1)
860
891
  #
861
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@contains -->" \
892
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@contains -->" \
862
893
  "id:941181,\
863
894
  phase:2,\
864
895
  block,\
@@ -873,8 +904,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
873
904
  tag:'xss-perf-disable',\
874
905
  tag:'paranoia-level/2',\
875
906
  tag:'OWASP_CRS',\
907
+ tag:'OWASP_CRS/ATTACK-XSS',\
876
908
  tag:'capec/1000/152/242',\
877
- ver:'OWASP_CRS/4.9.0',\
909
+ ver:'OWASP_CRS/4.16.0',\
878
910
  severity:'CRITICAL',\
879
911
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
880
912
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -945,7 +977,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
945
977
  # This rule is also triggered by the following exploit(s):
946
978
  # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
947
979
  #
948
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
980
+ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
949
981
  "id:941320,\
950
982
  phase:2,\
951
983
  block,\
@@ -960,14 +992,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
960
992
  tag:'xss-perf-disable',\
961
993
  tag:'paranoia-level/2',\
962
994
  tag:'OWASP_CRS',\
995
+ tag:'OWASP_CRS/ATTACK-XSS',\
963
996
  tag:'capec/1000/152/242/63',\
964
997
  tag:'PCI/6.5.1',\
965
- ver:'OWASP_CRS/4.9.0',\
998
+ ver:'OWASP_CRS/4.16.0',\
966
999
  severity:'CRITICAL',\
967
1000
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
968
1001
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
969
1002
 
970
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" \
1003
+ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" \
971
1004
  "id:941330,\
972
1005
  phase:2,\
973
1006
  block,\
@@ -982,9 +1015,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
982
1015
  tag:'xss-perf-disable',\
983
1016
  tag:'paranoia-level/2',\
984
1017
  tag:'OWASP_CRS',\
1018
+ tag:'OWASP_CRS/ATTACK-XSS',\
985
1019
  tag:'capec/1000/152/242',\
986
1020
  tag:'PCI/6.5.1',\
987
- ver:'OWASP_CRS/4.9.0',\
1021
+ ver:'OWASP_CRS/4.16.0',\
988
1022
  severity:'CRITICAL',\
989
1023
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
990
1024
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -992,7 +1026,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
992
1026
  # This rule is also triggered by the following exploit(s):
993
1027
  # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
994
1028
  #
995
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
1029
+ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
996
1030
  "id:941340,\
997
1031
  phase:2,\
998
1032
  block,\
@@ -1007,9 +1041,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
1007
1041
  tag:'xss-perf-disable',\
1008
1042
  tag:'paranoia-level/2',\
1009
1043
  tag:'OWASP_CRS',\
1044
+ tag:'OWASP_CRS/ATTACK-XSS',\
1010
1045
  tag:'capec/1000/152/242',\
1011
1046
  tag:'PCI/6.5.1',\
1012
- ver:'OWASP_CRS/4.9.0',\
1047
+ ver:'OWASP_CRS/4.16.0',\
1013
1048
  severity:'CRITICAL',\
1014
1049
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
1015
1050
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1027,7 +1062,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
1027
1062
  # Decoded argument:
1028
1063
  # {{constructor.constructor('alert(1)')()}}
1029
1064
  #
1030
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx {{.*?}}" \
1065
+ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx {{.*?}}" \
1031
1066
  "id:941380,\
1032
1067
  phase:2,\
1033
1068
  block,\
@@ -1041,24 +1076,25 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
1041
1076
  tag:'xss-perf-disable',\
1042
1077
  tag:'paranoia-level/2',\
1043
1078
  tag:'OWASP_CRS',\
1079
+ tag:'OWASP_CRS/ATTACK-XSS',\
1044
1080
  tag:'capec/1000/152/242/63',\
1045
- ver:'OWASP_CRS/4.9.0',\
1081
+ ver:'OWASP_CRS/4.16.0',\
1046
1082
  severity:'CRITICAL',\
1047
1083
  setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
1048
1084
  setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
1049
1085
 
1050
1086
 
1051
1087
 
1052
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1053
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1088
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1089
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1054
1090
  #
1055
1091
  # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
1056
1092
  #
1057
1093
 
1058
1094
 
1059
1095
 
1060
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1061
- SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1096
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1097
+ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
1062
1098
  #
1063
1099
  # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
1064
1100
  #