<script>alert(1)</script> # -- Rule engine initialization ------------------

1. <script>alert(1)</script>
2.  
3. # -- Rule engine initialization ----------------------------------------------
4.  
5. # Enable ModSecurity, attaching it to every transaction. Use detection
6. # only to start with, because that minimises the chances of post-installation
7. # disruption.
8. #
9. #SecRuleEngine DetectionOnly
10. SecRuleEngine On
11.  
12.  
13. # -- Request body handling ---------------------------------------------------
14.  
15. # Allow ModSecurity to access request bodies. If you don't, ModSecurity
16. # won't be able to see any POST parameters, which opens a large security
17. # hole for attackers to exploit.
18. #
19. SecRequestBodyAccess On
20.  
21.  
22. # Enable XML request body parser.
23. # Initiate XML Processor in case of xml content-type
24. #
25. SecRule REQUEST_HEADERS:Content-Type "text/xml"
26. "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
27.  
28.  
29. # Maximum request body size we will accept for buffering. If you support
30. # file uploads then the value given on the first line has to be as large
31. # as the largest file you are willing to accept. The second value refers
32. # to the size of data, with files excluded. You want to keep that value as
33. # low as practical.
34. #
35. SecRequestBodyLimit 13107200
36. SecRequestBodyNoFilesLimit 131072
37.  
38. # Store up to 128 KB of request body data in memory. When the multipart
39. # parser reachers this limit, it will start using your hard disk for
40. # storage. That is slow, but unavoidable.
41. #
42. SecRequestBodyInMemoryLimit 131072
43.  
44. # What do do if the request body size is above our configured limit.
45. # Keep in mind that this setting will automatically be set to ProcessPartial
46. # when SecRuleEngine is set to DetectionOnly mode in order to minimize
47. # disruptions when initially deploying ModSecurity.
48. #
49. SecRequestBodyLimitAction Reject
50.  
51. # Verify that we've correctly processed the request body.
52. # As a rule of thumb, when failing to process a request body
53. # you should reject the request (when deployed in blocking mode)
54. # or log a high-severity alert (when deployed in detection-only mode).
55. #
56. SecRule REQBODY_ERROR "!@eq 0"
57. "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
58.  
59. # By default be strict with what we accept in the multipart/form-data
60. # request body. If the rule below proves to be too strict for your
61. # environment consider changing it to detection-only. You are encouraged
62. # _not_ to remove it altogether.
63.  
64. LoadFile /usr/lib/i386-linux-gnu/libxml2.so
65. LoadFile /usr/lib/i386-linux-gnu/liblua5.1.so
66.  
67. LoadModule security2_module /usr/local/lib/mod_security2.so
68. <IfModule !mod_security2.c>
69. error_mod_security_is_not_loaded
70. </IfModule>
71.  
72. <IfModule mod_security2.c>
73. Include "/etc/modsecurity/activated_rules/*.conf"
74. Include /etc/modsecurity/*.conf
75. </IfModule>
76.  
77. Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "312"] [id "960012"] [rev "1"] [msg "POST request missing Content-Length Header."] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"]
78. Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "POST"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
79. Message: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
80. Message: Warning. Pattern match "(?i:([\s'"`xc2xb4xe2x80x99xe2x80x98\(\)]*?)\b([\d\w]++)([\s'"`xc2xb4xe2x80x99xe2x80x98\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'"`xc2xb4xe2x80x99xe2x80x98\(\)]*?)\2\b|(?:!=|<=|>=|<>|<|>|\^|is\s+not ..." at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: script>alert found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
81. Message: Warning. Pattern match "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;"\'\xc2xb4\xe2x80x99\xe2x80x98\`\<\>].*?){4,}" at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: < found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
82. Message: Warning. Pattern match "\balert\b\W*?\(" at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "163"] [id "958052"] [rev "2"] [msg "Cross-site Scripting (XSS) Attack"] [data "Matched Data: alert( found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
83. Message: Warning. Pattern match "\< ?script\b" at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "211"] [id "958051"] [rev "2"] [msg "Cross-site Scripting (XSS) Attack"] [data "Matched Data: <script found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
84. Message: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "301"] [id "973300"] [rev "2"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "Matched Data: <script> found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
85. Message: Warning. Pattern match "(fromcharcode|alert|eval)\s*\(" at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "391"] [id "973307"] [rev "2"] [msg "XSS Attack Detected"] [data "Matched Data: alert( found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
86. Message: Warning. Pattern match "(?i:<script.*?>)" at ARGS_NAMES:<script>alert(1)</script>. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "472"] [id "973331"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: <script> found within ARGS_NAMES:<script>alert(1)</script>: <script>alert(1)</script>"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
87. Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 33, SQLi=6, XSS=25): IE XSS Filters - Attack Detected."]
88. Apache-Handler: application/x-httpd-php
89. Stopwatch: 1410989836928471 21584 (- - -)
90. Stopwatch2: 1410989836928471 21584; combined=9852, p1=2043, p2=6830, p3=7, p4=532, p5=439, sr=172, sw=1, l=0, gc=0
91. Response-Body-Transformed: Dechunked
92. Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
93. Server: Apache/2.2.22 (Ubuntu)
94. Engine-Mode: "ENABLED"
95.  
96. --741c3b08-Z--