Zoom Tutorials

Linux | Windows | AWS | Azure | DevOps Tutorials

Open Web Application Security (OWASP) Rules

4 min read
owasp

OWASP Rules

OWASP 3.0

General

TABLE 17
RuleIdDescription
200004Possible Multipart Unmatched Boundary.

REQUEST-911-METHOD-ENFORCEMENT

TABLE 18
RuleIdDescription
911100Method is not allowed by policy

REQUEST-913-SCANNER-DETECTION

TABLE 19
RuleIdDescription
913100Found User-Agent associated with security scanner
913110Found request header associated with security scanner
913120Found request filename/argument associated with security scanner
913101Found User-Agent associated with scripting/generic HTTP client
913102Found User-Agent associated with web crawler/bot

REQUEST-920-PROTOCOL-ENFORCEMENT

TABLE 20
RuleIdDescription
920100Invalid HTTP Request Line
920130Failed to parse request body.
920140Multipart request body failed strict validation
920160Content-Length HTTP header is not numeric.
920170GET or HEAD Request with Body Content.
920180POST request missing Content-Length Header.
920190Range = Invalid Last Byte Value.
920210Multiple/Conflicting Connection Header Data Found.
920220URL Encoding Abuse Attack Attempt
920240URL Encoding Abuse Attack Attempt
920250UTF8 Encoding Abuse Attack Attempt
920260Unicode Full/Half Width Abuse Attack Attempt
920270Invalid character in request (null character)
920280Request Missing a Host Header
920290Empty Host Header
920310Request Has an Empty Accept Header
920311Request Has an Empty Accept Header
920330Empty User Agent Header
920340Request Containing Content but Missing Content-Type header
920350Host header is a numeric IP address
920380Too many arguments in request
920360Argument name too long
920370Argument value too long
920390Total arguments size exceeded
920400Uploaded file size too large
920410Total uploaded files size too large
920420Request content type is not allowed by policy
920430HTTP protocol version is not allowed by policy
920440URL file extension is restricted by policy
920450HTTP header is restricted by policy (%@{MATCHED_VAR})
920200Range = Too many fields (6 or more)
920201Range = Too many fields for pdf request (35 or more)
920230Multiple URL Encoding Detected
920300Request Missing an Accept Header
920271Invalid character in request (non printable characters)
920320Missing User Agent Header
920272Invalid character in request (outside of printable chars below ascii 127)
920202Range = Too many fields for pdf request (6 or more)
920273Invalid character in request (outside of very strict set)
920274Invalid character in request headers (outside of very strict set)
920460Abnormal escape characters

REQUEST-921-PROTOCOL-ATTACK

TABLE 21
RuleIdDescription
921100HTTP Request Smuggling Attack.
921110HTTP Request Smuggling Attack
921120HTTP Response Splitting Attack
921130HTTP Response Splitting Attack
921140HTTP Header Injection Attack via headers
921150HTTP Header Injection Attack via payload (CR/LF detected)
921160HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921151HTTP Header Injection Attack via payload (CR/LF detected)
921170HTTP Parameter Pollution
921180HTTP Parameter Pollution (%@{TX.1})

REQUEST-930-APPLICATION-ATTACK-LFI

TABLE 22
RuleIdDescription
930100Path Traversal Attack (/../)
930110Path Traversal Attack (/../)
930120OS File Access Attempt
930130Restricted File Access Attempt

REQUEST-931-APPLICATION-ATTACK-RFI

TABLE 23
RuleIdDescription
931100Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address
931110Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload
931120Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?)
931130Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link

REQUEST-932-APPLICATION-ATTACK-RCE

TABLE 24
RuleIdDescription
932120Remote Command Execution = Windows PowerShell Command Found
932130Remote Command Execution = Unix Shell Expression Found
932140Remote Command Execution = Windows FOR/IF Command Found
932160Remote Command Execution = Unix Shell Code Found
932170Remote Command Execution = Shellshock (CVE-2014-6271)
932171Remote Command Execution = Shellshock (CVE-2014-6271)

REQUEST-933-APPLICATION-ATTACK-PHP

TABLE 25
RuleIdDescription
933100PHP Injection Attack = Opening/Closing Tag Found
933110PHP Injection Attack = PHP Script File Upload Found
933120PHP Injection Attack = Configuration Directive Found
933130PHP Injection Attack = Variables Found
933150PHP Injection Attack = High-Risk PHP Function Name Found
933160PHP Injection Attack = High-Risk PHP Function Call Found
933180PHP Injection Attack = Variable Function Call Found
933151PHP Injection Attack = Medium-Risk PHP Function Name Found
933131PHP Injection Attack = Variables Found
933161PHP Injection Attack = Low-Value PHP Function Call Found
933111PHP Injection Attack = PHP Script File Upload Found

REQUEST-941-APPLICATION-ATTACK-XSS

TABLE 26
RuleIdDescription
941100XSS Attack Detected via libinjection
941110XSS Filter – Category 1 = Script Tag Vector
941130XSS Filter – Category 3 = Attribute Vector
941140XSS Filter – Category 4 = Javascript URI Vector
941150XSS Filter – Category 5 = Disallowed HTML Attributes
941180Node-Validator Blacklist Keywords
941190XSS using style sheets
941200XSS using VML frames
941210XSS using obfuscated Javascript
941220XSS using obfuscated VB Script
941230XSS using ’embed’ tag
941240XSS using ‘import’ or ‘implementation’ attribute
941260XSS using ‘meta’ tag
941270XSS using ‘link’ href
941280XSS using ‘base’ tag
941290XSS using ‘applet’ tag
941300XSS using ‘object’ tag
941310US-ASCII Malformed Encoding XSS Filter – Attack Detected.
941330IE XSS Filters – Attack Detected.
941340IE XSS Filters – Attack Detected.
941350UTF-7 Encoding IE XSS – Attack Detected.
941320Possible XSS Attack Detected – HTML Tag Handler

REQUEST-942-APPLICATION-ATTACK-SQLI

TABLE 27
RuleIdDescription
942100SQL Injection Attack Detected via libinjection
942110SQL Injection Attack: Common Injection Testing Detected
942130SQL Injection Attack: SQL Tautology Detected.
942140SQL Injection Attack = Common DB Names Detected
942160Detects blind sqli tests using sleep() or benchmark().
942170Detects SQL benchmark and sleep injection attempts including conditional queries
942190Detects MSSQL code execution and information gathering attempts
942200Detects MySQL comment-/space-obfuscated injections and backtick termination
942230Detects conditional SQL injection attempts
942260Detects basic SQL authentication bypass attempts 2/3
942270Looking for basic sql injection. Common attack string for mysql oracle and others.
942290Finds basic MongoDB SQL injection attempts
942300Detects MySQL comments, conditions and ch(a)r injections
942310Detects chained SQL injection attempts 2/2
942320Detects MySQL and PostgreSQL stored procedure/function injections
942330Detects classic SQL injection probings 1/2
942340Detects basic SQL authentication bypass attempts 3/3
942350Detects MySQL UDF injection and other data/structure manipulation attempts
942360Detects concatenated basic SQL injection and SQLLFI attempts
942370Detects classic SQL injection probings 2/2
942150SQL Injection Attack
942410SQL Injection Attack
942430Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440SQL Comment Sequence Detected.
942450SQL Hex Encoding Identified
942251Detects HAVING injections
942460Meta-Character Anomaly Detection Alert – Repetitive Non-Word Characters

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

TABLE 28
RuleIdDescription
943100Possible Session Fixation Attack = Setting Cookie Values in HTML
943110Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer
943120Possible Session Fixation Attack = SessionID Parameter Name with No Referrer

 

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © All rights reserved. | Newsphere by AF themes.