| [ Index ] |
PHP Cross Reference of Zikula Core 1.3.2 |
[Summary view] [Print] [Text view]
1 <filters> 2 <filter> 3 <id>2</id> 4 <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule> 5 <description>finds attribute breaking injections including whitespace attacks</description> 6 <tags> 7 <tag>xss</tag> 8 <tag>csrf</tag> 9 </tags> 10 <impact>4</impact> 11 </filter> 12 <filter> 13 <id>69</id> 14 <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule> 15 <description>finds malicious attribute injection attempts</description> 16 <tags> 17 <tag>xss</tag> 18 <tag>csrf</tag> 19 </tags> 20 <impact>6</impact> 21 </filter> 22 <filter> 23 <id>3</id> 24 <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule> 25 <description>finds unquoted attribute breaking injections</description> 26 <tags> 27 <tag>xss</tag> 28 <tag>csrf</tag> 29 </tags> 30 <impact>2</impact> 31 </filter> 32 <filter> 33 <id>4</id> 34 <rule><![CDATA[(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]></rule> 35 <description>Detects url-, name-, JSON, and referrer-contained payload attacks</description> 36 <tags> 37 <tag>xss</tag> 38 <tag>csrf</tag> 39 </tags> 40 <impact>5</impact> 41 </filter> 42 <filter> 43 <id>5</id> 44 <rule><![CDATA[(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?"[^\s"]":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)]]></rule> 45 <description>Detects hash-contained xss payload attacks, setter usage and property overloading</description> 46 <tags> 47 <tag>xss</tag> 48 <tag>csrf</tag> 49 </tags> 50 <impact>5</impact> 51 </filter> 52 <filter> 53 <id>6</id> 54 <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule> 55 <description>Detects self contained xss via with(), common loops and regex to string conversion</description> 56 <tags> 57 <tag>xss</tag> 58 <tag>csrf</tag> 59 </tags> 60 <impact>5</impact> 61 </filter> 62 <filter> 63 <id>7</id> 64 <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule> 65 <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description> 66 <tags> 67 <tag>xss</tag> 68 <tag>csrf</tag> 69 </tags> 70 <impact>5</impact> 71 </filter> 72 <filter> 73 <id>8</id> 74 <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule> 75 <description>Detects self-executing JavaScript functions</description> 76 <tags> 77 <tag>xss</tag> 78 <tag>csrf</tag> 79 </tags> 80 <impact>5</impact> 81 </filter> 82 <filter> 83 <id>9</id> 84 <rule><![CDATA[(?:\\u00[a-f0-9]{2})|(?:\\x0*[a-f0-9]{2})|(?:\\\d{2,3})]]></rule> 85 <description>Detects the IE octal, hex and unicode entities</description> 86 <tags> 87 <tag>xss</tag> 88 <tag>csrf</tag> 89 </tags> 90 <impact>2</impact> 91 </filter> 92 <filter> 93 <id>10</id> 94 <rule><![CDATA[(?:(?:\/|\\)?\.+(\/|\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})]]></rule> 95 <description>Detects basic directory traversal</description> 96 <tags> 97 <tag>dt</tag> 98 <tag>id</tag> 99 <tag>lfi</tag> 100 </tags> 101 <impact>5</impact> 102 </filter> 103 <filter> 104 <id>11</id> 105 <rule><![CDATA[(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)]]></rule> 106 <description>Detects specific directory and path traversal</description> 107 <tags> 108 <tag>dt</tag> 109 <tag>id</tag> 110 <tag>lfi</tag> 111 </tags> 112 <impact>5</impact> 113 </filter> 114 <filter> 115 <id>12</id> 116 <rule><![CDATA[(?:etc\/\W*passwd)]]></rule> 117 <description>Detects etc/passwd inclusion attempts</description> 118 <tags> 119 <tag>dt</tag> 120 <tag>id</tag> 121 <tag>lfi</tag> 122 </tags> 123 <impact>5</impact> 124 </filter> 125 <filter> 126 <id>13</id> 127 <rule><![CDATA[(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)]]></rule> 128 <description>Detects halfwidth/fullwidth encoded unicode HTML breaking attempts</description> 129 <tags> 130 <tag>xss</tag> 131 <tag>csrf</tag> 132 </tags> 133 <impact>3</impact> 134 </filter> 135 <filter> 136 <id>14</id> 137 <rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule> 138 <description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description> 139 <tags> 140 <tag>xss</tag> 141 <tag>csrf</tag> 142 <tag>id</tag> 143 <tag>rfe</tag> 144 </tags> 145 <impact>5</impact> 146 </filter> 147 <filter> 148 <id>15</id> 149 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule> 150 <description>Detects JavaScript DOM/miscellaneous properties and methods</description> 151 <tags> 152 <tag>xss</tag> 153 <tag>csrf</tag> 154 <tag>id</tag> 155 <tag>rfe</tag> 156 </tags> 157 <impact>6</impact> 158 </filter> 159 <filter> 160 <id>16</id> 161 <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule> 162 <description>Detects possible includes and typical script methods</description> 163 <tags> 164 <tag>xss</tag> 165 <tag>csrf</tag> 166 <tag>id</tag> 167 <tag>rfe</tag> 168 </tags> 169 <impact>5</impact> 170 </filter> 171 <filter> 172 <id>17</id> 173 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule> 174 <description>Detects JavaScript object properties and methods</description> 175 <tags> 176 <tag>xss</tag> 177 <tag>csrf</tag> 178 <tag>id</tag> 179 <tag>rfe</tag> 180 </tags> 181 <impact>4</impact> 182 </filter> 183 <filter> 184 <id>18</id> 185 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule> 186 <description>Detects JavaScript array properties and methods</description> 187 <tags> 188 <tag>xss</tag> 189 <tag>csrf</tag> 190 <tag>id</tag> 191 <tag>rfe</tag> 192 </tags> 193 <impact>4</impact> 194 </filter> 195 <filter> 196 <id>19</id> 197 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule> 198 <description>Detects JavaScript string properties and methods</description> 199 <tags> 200 <tag>xss</tag> 201 <tag>csrf</tag> 202 <tag>id</tag> 203 <tag>rfe</tag> 204 </tags> 205 <impact>4</impact> 206 </filter> 207 <filter> 208 <id>20</id> 209 <rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule> 210 <description>Detects JavaScript language constructs</description> 211 <tags> 212 <tag>xss</tag> 213 <tag>csrf</tag> 214 <tag>id</tag> 215 <tag>rfe</tag> 216 </tags> 217 <impact>4</impact> 218 </filter> 219 <filter> 220 <id>21</id> 221 <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule> 222 <description>Detects very basic XSS probings</description> 223 <tags> 224 <tag>xss</tag> 225 <tag>csrf</tag> 226 <tag>id</tag> 227 <tag>rfe</tag> 228 </tags> 229 <impact>3</impact> 230 </filter> 231 <filter> 232 <id>22</id> 233 <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule> 234 <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description> 235 <tags> 236 <tag>xss</tag> 237 <tag>csrf</tag> 238 <tag>id</tag> 239 <tag>rfe</tag> 240 </tags> 241 <impact>5</impact> 242 </filter> 243 <filter> 244 <id>23</id> 245 <rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule> 246 <description>Detects JavaScript location/document property access and window access obfuscation</description> 247 <tags> 248 <tag>xss</tag> 249 <tag>csrf</tag> 250 </tags> 251 <impact>5</impact> 252 </filter> 253 <filter> 254 <id>24</id> 255 <rule><![CDATA[(?:[".]script\s*\()|(?:\$\$?\s*\(\s*[\w"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])]]></rule> 256 <description>Detects basic obfuscated JavaScript script injections</description> 257 <tags> 258 <tag>xss</tag> 259 <tag>csrf</tag> 260 </tags> 261 <impact>5</impact> 262 </filter> 263 <filter> 264 <id>25</id> 265 <rule><![CDATA[(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[("\w+"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*")]]></rule> 266 <description>Detects obfuscated JavaScript script injections</description> 267 <tags> 268 <tag>xss</tag> 269 <tag>csrf</tag> 270 </tags> 271 <impact>5</impact> 272 </filter> 273 <filter> 274 <id>26</id> 275 <rule><![CDATA[(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])]]></rule> 276 <description>Detects JavaScript cookie stealing and redirection attempts</description> 277 <tags> 278 <tag>xss</tag> 279 <tag>csrf</tag> 280 </tags> 281 <impact>4</impact> 282 </filter> 283 <filter> 284 <id>27</id> 285 <rule><![CDATA[(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule> 286 <description>Detects data: URL injections, VBS injections and common URI schemes</description> 287 <tags> 288 <tag>xss</tag> 289 <tag>rfe</tag> 290 </tags> 291 <impact>5</impact> 292 </filter> 293 <filter> 294 <id>28</id> 295 <rule><![CDATA[(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)]]></rule> 296 <description>Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution</description> 297 <tags> 298 <tag>xss</tag> 299 <tag>rfe</tag> 300 <tag>lfi</tag> 301 <tag>csrf</tag> 302 </tags> 303 <impact>5</impact> 304 </filter> 305 <filter> 306 <id>29</id> 307 <rule><![CDATA[(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\])]]></rule> 308 <description>Detects bindings and behavior injections</description> 309 <tags> 310 <tag>xss</tag> 311 <tag>csrf</tag> 312 <tag>rfe</tag> 313 </tags> 314 <impact>4</impact> 315 </filter> 316 <filter> 317 <id>30</id> 318 <rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule> 319 <description>Detects common XSS concatenation patterns 1/2</description> 320 <tags> 321 <tag>xss</tag> 322 <tag>csrf</tag> 323 <tag>id</tag> 324 <tag>rfe</tag> 325 </tags> 326 <impact>4</impact> 327 </filter> 328 <filter> 329 <id>31</id> 330 <rule><![CDATA[(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*")|(?:!\d+\.\d*\?")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)]]></rule> 331 <description>Detects common XSS concatenation patterns 2/2</description> 332 <tags> 333 <tag>xss</tag> 334 <tag>csrf</tag> 335 <tag>id</tag> 336 <tag>rfe</tag> 337 </tags> 338 <impact>4</impact> 339 </filter> 340 <filter> 341 <id>32</id> 342 <rule><![CDATA[(?:[^\w\s=]on(?!g\>)\w+[^=_+-]*=[^$]+(?:\W|\>)?)]]></rule> 343 <description>Detects possible event handlers</description> 344 <tags> 345 <tag>xss</tag> 346 <tag>csrf</tag> 347 </tags> 348 <impact>4</impact> 349 </filter> 350 <filter> 351 <id>33</id> 352 <rule><![CDATA[(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)]]></rule> 353 <description>Detects obfuscated script tags and XML wrapped HTML</description> 354 <tags> 355 <tag>xss</tag> 356 </tags> 357 <impact>4</impact> 358 </filter> 359 <filter> 360 <id>34</id> 361 <rule><![CDATA[(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,"=])]]></rule> 362 <description>Detects attributes in closing tags and conditional compilation tokens</description> 363 <tags> 364 <tag>xss</tag> 365 <tag>csrf</tag> 366 </tags> 367 <impact>4</impact> 368 </filter> 369 <filter> 370 <id>35</id> 371 <rule><![CDATA[(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)]]></rule> 372 <description>Detects common comment types</description> 373 <tags> 374 <tag>xss</tag> 375 <tag>csrf</tag> 376 <tag>id</tag> 377 </tags> 378 <impact>3</impact> 379 </filter> 380 <filter> 381 <id>37</id> 382 <rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule> 383 <description>Detects base href injections and XML entity injections</description> 384 <tags> 385 <tag>xss</tag> 386 <tag>csrf</tag> 387 <tag>id</tag> 388 </tags> 389 <impact>5</impact> 390 </filter> 391 <filter> 392 <id>38</id> 393 <rule><![CDATA[(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))]]></rule> 394 <description>Detects possibly malicious html elements including some attributes</description> 395 <tags> 396 <tag>xss</tag> 397 <tag>csrf</tag> 398 <tag>id</tag> 399 <tag>rfe</tag> 400 <tag>lfi</tag> 401 </tags> 402 <impact>4</impact> 403 </filter> 404 <filter> 405 <id>39</id> 406 <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule> 407 <description>Detects nullbytes and other dangerous characters</description> 408 <tags> 409 <tag>id</tag> 410 <tag>rfe</tag> 411 <tag>xss</tag> 412 </tags> 413 <impact>5</impact> 414 </filter> 415 <filter> 416 <id>40</id> 417 <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> 418 <description>Detects MySQL comments, conditions and ch(a)r injections</description> 419 <tags> 420 <tag>sqli</tag> 421 <tag>id</tag> 422 <tag>lfi</tag> 423 </tags> 424 <impact>6</impact> 425 </filter> 426 <filter> 427 <id>41</id> 428 <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule> 429 <description>Detects conditional SQL injection attempts</description> 430 <tags> 431 <tag>sqli</tag> 432 <tag>id</tag> 433 <tag>lfi</tag> 434 </tags> 435 <impact>6</impact> 436 </filter> 437 <filter> 438 <id>42</id> 439 <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule> 440 <description>Detects classic SQL injection probings 1/2</description> 441 <tags> 442 <tag>sqli</tag> 443 <tag>id</tag> 444 <tag>lfi</tag> 445 </tags> 446 <impact>6</impact> 447 </filter> 448 <filter> 449 <id>43</id> 450 <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule> 451 <description>Detects classic SQL injection probings 2/2</description> 452 <tags> 453 <tag>sqli</tag> 454 <tag>id</tag> 455 <tag>lfi</tag> 456 </tags> 457 <impact>6</impact> 458 </filter> 459 <filter> 460 <id>44</id> 461 <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule> 462 <description>Detects basic SQL authentication bypass attempts 1/3</description> 463 <tags> 464 <tag>sqli</tag> 465 <tag>id</tag> 466 <tag>lfi</tag> 467 </tags> 468 <impact>7</impact> 469 </filter> 470 <filter> 471 <id>45</id> 472 <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule> 473 <description>Detects basic SQL authentication bypass attempts 2/3</description> 474 <tags> 475 <tag>sqli</tag> 476 <tag>id</tag> 477 <tag>lfi</tag> 478 </tags> 479 <impact>7</impact> 480 </filter> 481 <filter> 482 <id>46</id> 483 <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> 484 <description>Detects basic SQL authentication bypass attempts 3/3</description> 485 <tags> 486 <tag>sqli</tag> 487 <tag>id</tag> 488 <tag>lfi</tag> 489 </tags> 490 <impact>7</impact> 491 </filter> 492 <filter> 493 <id>47</id> 494 <rule><![CDATA[(?:[\d\W]\s+as\s*["\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule> 495 <description>Detects concatenated basic SQL injection and SQLLFI attempts</description> 496 <tags> 497 <tag>sqli</tag> 498 <tag>id</tag> 499 <tag>lfi</tag> 500 </tags> 501 <impact>5</impact> 502 </filter> 503 <filter> 504 <id>48</id> 505 <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule> 506 <description>Detects chained SQL injection attempts 1/2</description> 507 <tags> 508 <tag>sqli</tag> 509 <tag>id</tag> 510 </tags> 511 <impact>6</impact> 512 </filter> 513 <filter> 514 <id>49</id> 515 <rule><![CDATA[(?:"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule> 516 <description>Detects chained SQL injection attempts 2/2</description> 517 <tags> 518 <tag>sqli</tag> 519 <tag>id</tag> 520 </tags> 521 <impact>6</impact> 522 </filter> 523 <filter> 524 <id>50</id> 525 <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule> 526 <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description> 527 <tags> 528 <tag>sqli</tag> 529 <tag>id</tag> 530 </tags> 531 <impact>4</impact> 532 </filter> 533 <filter> 534 <id>51</id> 535 <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule> 536 <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description> 537 <tags> 538 <tag>sqli</tag> 539 <tag>id</tag> 540 </tags> 541 <impact>6</impact> 542 </filter> 543 <filter> 544 <id>52</id> 545 <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule> 546 <description>Detects MySQL charset switch and MSSQL DoS attempts</description> 547 <tags> 548 <tag>sqli</tag> 549 <tag>id</tag> 550 </tags> 551 <impact>6</impact> 552 </filter> 553 <filter> 554 <id>53</id> 555 <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule> 556 <description>Detects MySQL and PostgreSQL stored procedure/function injections</description> 557 <tags> 558 <tag>sqli</tag> 559 <tag>id</tag> 560 </tags> 561 <impact>7</impact> 562 </filter> 563 <filter> 564 <id>54</id> 565 <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule> 566 <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description> 567 <tags> 568 <tag>sqli</tag> 569 <tag>id</tag> 570 </tags> 571 <impact>5</impact> 572 </filter> 573 <filter> 574 <id>55</id> 575 <rule><![CDATA[(?:\sexec\s+xp_cmdshell)|(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> 576 <description>Detects MSSQL code execution and information gathering attempts</description> 577 <tags> 578 <tag>sqli</tag> 579 <tag>id</tag> 580 </tags> 581 <impact>5</impact> 582 </filter> 583 <filter> 584 <id>56</id> 585 <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule> 586 <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description> 587 <tags> 588 <tag>sqli</tag> 589 <tag>id</tag> 590 </tags> 591 <impact>5</impact> 592 </filter> 593 <filter> 594 <id>57</id> 595 <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule> 596 <description>Detects MySQL comment-/space-obfuscated injections</description> 597 <tags> 598 <tag>sqli</tag> 599 <tag>id</tag> 600 </tags> 601 <impact>5</impact> 602 </filter> 603 <filter> 604 <id>58</id> 605 <rule><![CDATA[(?:@[\w-]+\s*\()|(?:]\s*\(\s*["!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]></rule> 606 <description>Detects code injection attempts 1/3</description> 607 <tags> 608 <tag>id</tag> 609 <tag>rfe</tag> 610 <tag>lfi</tag> 611 </tags> 612 <impact>7</impact> 613 </filter> 614 <filter> 615 <id>59</id> 616 <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*["(@])]]></rule> 617 <description>Detects code injection attempts 2/3</description> 618 <tags> 619 <tag>id</tag> 620 <tag>rfe</tag> 621 <tag>lfi</tag> 622 </tags> 623 <impact>7</impact> 624 </filter> 625 <filter> 626 <id>60</id> 627 <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)]]></rule> 628 <description>Detects code injection attempts 3/3</description> 629 <tags> 630 <tag>id</tag> 631 <tag>rfe</tag> 632 <tag>lfi</tag> 633 </tags> 634 <impact>7</impact> 635 </filter> 636 <filter> 637 <id>61</id> 638 <rule><![CDATA[(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)]]></rule> 639 <description>Detects url injections and RFE attempts</description> 640 <tags> 641 <tag>id</tag> 642 <tag>rfe</tag> 643 <tag>lfi</tag> 644 </tags> 645 <impact>5</impact> 646 </filter> 647 <filter> 648 <id>62</id> 649 <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule> 650 <description>Detects common function declarations and special JS operators</description> 651 <tags> 652 <tag>id</tag> 653 <tag>rfe</tag> 654 <tag>lfi</tag> 655 </tags> 656 <impact>5</impact> 657 </filter> 658 <filter> 659 <id>63</id> 660 <rule><![CDATA[(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)]]></rule> 661 <description>Detects common mail header injections</description> 662 <tags> 663 <tag>id</tag> 664 <tag>spam</tag> 665 </tags> 666 <impact>5</impact> 667 </filter> 668 <filter> 669 <id>64</id> 670 <rule><![CDATA[(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)]]></rule> 671 <description>Detects perl echo shellcode injection and LDAP vectors</description> 672 <tags> 673 <tag>lfi</tag> 674 <tag>rfe</tag> 675 </tags> 676 <impact>5</impact> 677 </filter> 678 <filter> 679 <id>65</id> 680 <rule><![CDATA[(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})]]></rule> 681 <description>Detects basic XSS DoS attempts</description> 682 <tags> 683 <tag>rfe</tag> 684 <tag>dos</tag> 685 </tags> 686 <impact>5</impact> 687 </filter> 688 <filter> 689 <id>67</id> 690 <rule><![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]></rule> 691 <description>Detects unknown attack vectors based on PHPIDS Centrifuge detection</description> 692 <tags> 693 <tag>xss</tag> 694 <tag>csrf</tag> 695 <tag>id</tag> 696 <tag>rfe</tag> 697 <tag>lfi</tag> 698 </tags> 699 <impact>7</impact> 700 </filter> 701 <filter> 702 <id>68</id> 703 <rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule> 704 <description>finds attribute breaking injections including obfuscated attributes</description> 705 <tags> 706 <tag>xss</tag> 707 <tag>csrf</tag> 708 </tags> 709 <impact>4</impact> 710 </filter> 711 <filter> 712 <id>69</id> 713 <rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule> 714 <description>finds basic VBScript injection attempts</description> 715 <tags> 716 <tag>xss</tag> 717 <tag>csrf</tag> 718 </tags> 719 <impact>4</impact> 720 </filter> 721 <filter> 722 <id>70</id> 723 <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule> 724 <description>finds basic MongoDB SQL injection attempts</description> 725 <tags> 726 <tag>sqli</tag> 727 </tags> 728 <impact>4</impact> 729 </filter> 730 </filters>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Mon Feb 20 12:35:30 2012 | Cross-referenced by PHPXref 0.7.1 |