OWASP Rules
OWASP 3.0
General
TABLE 17 | |
RuleId | Description |
200004 | Possible Multipart Unmatched Boundary. |
REQUEST-911-METHOD-ENFORCEMENT
TABLE 18 | |
RuleId | Description |
911100 | Method is not allowed by policy |
REQUEST-913-SCANNER-DETECTION
TABLE 19 | |
RuleId | Description |
913100 | Found User-Agent associated with security scanner |
913110 | Found request header associated with security scanner |
913120 | Found request filename/argument associated with security scanner |
913101 | Found User-Agent associated with scripting/generic HTTP client |
913102 | Found User-Agent associated with web crawler/bot |
REQUEST-920-PROTOCOL-ENFORCEMENT
TABLE 20 | |
RuleId | Description |
920100 | Invalid HTTP Request Line |
920130 | Failed to parse request body. |
920140 | Multipart request body failed strict validation |
920160 | Content-Length HTTP header is not numeric. |
920170 | GET or HEAD Request with Body Content. |
920180 | POST request missing Content-Length Header. |
920190 | Range = Invalid Last Byte Value. |
920210 | Multiple/Conflicting Connection Header Data Found. |
920220 | URL Encoding Abuse Attack Attempt |
920240 | URL Encoding Abuse Attack Attempt |
920250 | UTF8 Encoding Abuse Attack Attempt |
920260 | Unicode Full/Half Width Abuse Attack Attempt |
920270 | Invalid character in request (null character) |
920280 | Request Missing a Host Header |
920290 | Empty Host Header |
920310 | Request Has an Empty Accept Header |
920311 | Request Has an Empty Accept Header |
920330 | Empty User Agent Header |
920340 | Request Containing Content but Missing Content-Type header |
920350 | Host header is a numeric IP address |
920380 | Too many arguments in request |
920360 | Argument name too long |
920370 | Argument value too long |
920390 | Total arguments size exceeded |
920400 | Uploaded file size too large |
920410 | Total uploaded files size too large |
920420 | Request content type is not allowed by policy |
920430 | HTTP protocol version is not allowed by policy |
920440 | URL file extension is restricted by policy |
920450 | HTTP header is restricted by policy (%@{MATCHED_VAR}) |
920200 | Range = Too many fields (6 or more) |
920201 | Range = Too many fields for pdf request (35 or more) |
920230 | Multiple URL Encoding Detected |
920300 | Request Missing an Accept Header |
920271 | Invalid character in request (non printable characters) |
920320 | Missing User Agent Header |
920272 | Invalid character in request (outside of printable chars below ascii 127) |
920202 | Range = Too many fields for pdf request (6 or more) |
920273 | Invalid character in request (outside of very strict set) |
920274 | Invalid character in request headers (outside of very strict set) |
920460 | Abnormal escape characters |
REQUEST-921-PROTOCOL-ATTACK
TABLE 21 | |
RuleId | Description |
921100 | HTTP Request Smuggling Attack. |
921110 | HTTP Request Smuggling Attack |
921120 | HTTP Response Splitting Attack |
921130 | HTTP Response Splitting Attack |
921140 | HTTP Header Injection Attack via headers |
921150 | HTTP Header Injection Attack via payload (CR/LF detected) |
921160 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
921151 | HTTP Header Injection Attack via payload (CR/LF detected) |
921170 | HTTP Parameter Pollution |
921180 | HTTP Parameter Pollution (%@{TX.1}) |
REQUEST-930-APPLICATION-ATTACK-LFI
TABLE 22 | |
RuleId | Description |
930100 | Path Traversal Attack (/../) |
930110 | Path Traversal Attack (/../) |
930120 | OS File Access Attempt |
930130 | Restricted File Access Attempt |
REQUEST-931-APPLICATION-ATTACK-RFI
TABLE 23 | |
RuleId | Description |
931100 | Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address |
931110 | Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload |
931120 | Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?) |
931130 | Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link |
REQUEST-932-APPLICATION-ATTACK-RCE
TABLE 24 | |
RuleId | Description |
932120 | Remote Command Execution = Windows PowerShell Command Found |
932130 | Remote Command Execution = Unix Shell Expression Found |
932140 | Remote Command Execution = Windows FOR/IF Command Found |
932160 | Remote Command Execution = Unix Shell Code Found |
932170 | Remote Command Execution = Shellshock (CVE-2014-6271) |
932171 | Remote Command Execution = Shellshock (CVE-2014-6271) |
REQUEST-933-APPLICATION-ATTACK-PHP
TABLE 25 | |
RuleId | Description |
933100 | PHP Injection Attack = Opening/Closing Tag Found |
933110 | PHP Injection Attack = PHP Script File Upload Found |
933120 | PHP Injection Attack = Configuration Directive Found |
933130 | PHP Injection Attack = Variables Found |
933150 | PHP Injection Attack = High-Risk PHP Function Name Found |
933160 | PHP Injection Attack = High-Risk PHP Function Call Found |
933180 | PHP Injection Attack = Variable Function Call Found |
933151 | PHP Injection Attack = Medium-Risk PHP Function Name Found |
933131 | PHP Injection Attack = Variables Found |
933161 | PHP Injection Attack = Low-Value PHP Function Call Found |
933111 | PHP Injection Attack = PHP Script File Upload Found |
REQUEST-941-APPLICATION-ATTACK-XSS
TABLE 26 | |
RuleId | Description |
941100 | XSS Attack Detected via libinjection |
941110 | XSS Filter – Category 1 = Script Tag Vector |
941130 | XSS Filter – Category 3 = Attribute Vector |
941140 | XSS Filter – Category 4 = Javascript URI Vector |
941150 | XSS Filter – Category 5 = Disallowed HTML Attributes |
941180 | Node-Validator Blacklist Keywords |
941190 | XSS using style sheets |
941200 | XSS using VML frames |
941210 | XSS using obfuscated Javascript |
941220 | XSS using obfuscated VB Script |
941230 | XSS using ’embed’ tag |
941240 | XSS using ‘import’ or ‘implementation’ attribute |
941260 | XSS using ‘meta’ tag |
941270 | XSS using ‘link’ href |
941280 | XSS using ‘base’ tag |
941290 | XSS using ‘applet’ tag |
941300 | XSS using ‘object’ tag |
941310 | US-ASCII Malformed Encoding XSS Filter – Attack Detected. |
941330 | IE XSS Filters – Attack Detected. |
941340 | IE XSS Filters – Attack Detected. |
941350 | UTF-7 Encoding IE XSS – Attack Detected. |
941320 | Possible XSS Attack Detected – HTML Tag Handler |
REQUEST-942-APPLICATION-ATTACK-SQLI
TABLE 27 | |
RuleId | Description |
942100 | SQL Injection Attack Detected via libinjection |
942110 | SQL Injection Attack: Common Injection Testing Detected |
942130 | SQL Injection Attack: SQL Tautology Detected. |
942140 | SQL Injection Attack = Common DB Names Detected |
942160 | Detects blind sqli tests using sleep() or benchmark(). |
942170 | Detects SQL benchmark and sleep injection attempts including conditional queries |
942190 | Detects MSSQL code execution and information gathering attempts |
942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
942230 | Detects conditional SQL injection attempts |
942260 | Detects basic SQL authentication bypass attempts 2/3 |
942270 | Looking for basic sql injection. Common attack string for mysql oracle and others. |
942290 | Finds basic MongoDB SQL injection attempts |
942300 | Detects MySQL comments, conditions and ch(a)r injections |
942310 | Detects chained SQL injection attempts 2/2 |
942320 | Detects MySQL and PostgreSQL stored procedure/function injections |
942330 | Detects classic SQL injection probings 1/2 |
942340 | Detects basic SQL authentication bypass attempts 3/3 |
942350 | Detects MySQL UDF injection and other data/structure manipulation attempts |
942360 | Detects concatenated basic SQL injection and SQLLFI attempts |
942370 | Detects classic SQL injection probings 2/2 |
942150 | SQL Injection Attack |
942410 | SQL Injection Attack |
942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
942440 | SQL Comment Sequence Detected. |
942450 | SQL Hex Encoding Identified |
942251 | Detects HAVING injections |
942460 | Meta-Character Anomaly Detection Alert – Repetitive Non-Word Characters |
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
TABLE 28 | |
RuleId | Description |
943100 | Possible Session Fixation Attack = Setting Cookie Values in HTML |
943110 | Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer |
943120 | Possible Session Fixation Attack = SessionID Parameter Name with No Referrer |