WAF Core Rules Reference

Core Rule Set Reference

The following table presents the rules of the WAF Core Rule Set (CRS) as defined in the OWASP CRS:

Rule IDRule Description
932160Remote Command Execution: Unix Shell Code Found
942100SQL Injection Attack Detected via libinjection
942460Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
910150HTTP Blacklist match for search engine IP
913110Found request header associated with security scanner
920190Range: Invalid Last Byte Value.
921120HTTP Response Splitting Attack
951120Oracle SQL Information Leakage
953100PHP Information Leakage
954100Disclosure of IIS install location
941340IE XSS Filters - Attack Detected.
942170Detects SQL benchmark and sleep injection attempts including conditional queries
944300Base64 encoded string matched suspicious keyword
910180HTTP Blacklist match for harvester IP
920350Host header is a numeric IP address
932100Remote Command Execution: Unix Command Injection
941290IE XSS Filters - Attack Detected.
920480Request content type charset is not allowed by policy
930120OS File Access Attempt
931120Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
941150XSS Filter - Category 5: Disallowed HTML Attributes
942400SQL Injection Attack
954110Application Availability Error
920201Range: Too many fields for pdf request (63 or more)
931100Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
932170Remote Command Execution: Shellshock (CVE-2014-6271)
933150PHP Injection Attack: High-Risk PHP Function Name Found
920380Too many arguments in request
933111PHP Injection Attack: PHP Script File Upload Found
951230mysql SQL Information Leakage
4295005Enable Nextcloud specific CRS exclusions
953120PHP source code leakage
954130IIS Information Leakage
920440URL file extension is restricted by policy
920450HTTP header is restricted by policy (%{MATCHED_VAR})
932180Restricted File Upload Attempt
941170NoScript XSS InjectionChecker: Attribute Injection
920470Illegal Content-Type header
920230Multiple URL Encoding Detected
932190Remote Command Execution: Wildcard bypass technique attempt
941300IE XSS Filters - Attack Detected.
944250Remote Command Execution: Suspicious Java method detected
910100Client IP is from a HIGH Risk Country Location.
920273Invalid character in request (outside of very strict set)
921151HTTP Header Injection Attack via payload (CR/LF detected)
930100Path Traversal Attack (/../)
941310US-ASCII Malformed Encoding XSS Filter - Attack Detected.
942150SQL Injection Attack
950130Directory Listing
4295001Enable Drupal specific CRS exclusions
932130Remote Command Execution: Unix Shell Expression Found
933140PHP Injection Attack: I/O Stream Found
941140XSS Filter - Category 4: Javascript URI Vector
941260IE XSS Filters - Attack Detected.
933130PHP Injection Attack: Variables Found
942260Detects basic SQL authentication bypass attempts 2/3
952100Java Source Code Leakage
4295002Enable Wordpress specific CRS exclusions
920210Multiple/Conflicting Connection Header Data Found.
920272Invalid character in request (outside of printable chars below ascii 127)
932110Remote Command Execution: Windows Command Injection
932115Remote Command Execution: Windows Command Injection
920430HTTP protocol version is not allowed by policy
951220mssql SQL Information Leakage
942120SQL Injection Attack: SQL Operator Detected
942470SQL Injection Attack
944240Remote Command Execution: Java serialization (CVE-2015-5842)
910160HTTP Blacklist match for spammer IP
920171GET or HEAD Request with Transfer-Encoding.
920220URL Encoding Abuse Attack Attempt
941130XSS Filter - Category 3: Attribute Vector
944130Suspicious Java class detected
953110PHP source code leakage
913100Found User-Agent associated with security scanner
941160NoScript XSS InjectionChecker: HTML Injection
942140SQL Injection Attack: Common DB Names Detected
942380SQL Injection Attack
951200interbase SQL Information Leakage
910000Request from Known Malicious Client (Based on previous traffic violations).
920360Argument name too long
941120XSS Filter - Category 2: Event Handler Vector
942480SQL Injection Attack
942450SQL Hex Encoding Identified
943120Possible Session Fixation Attack: SessionID Parameter Name with No Referer
951250sqlite SQL Information Leakage
951260Sybase SQL Information Leakage
920240URL Encoding Abuse Attack Attempt
920410Total uploaded files size too large
921110HTTP Request Smuggling Attack
933120PHP Injection Attack: Configuration Directive Found
942350Detects MySQL UDF injection and other data/structure manipulation attempts
944210Magic bytes Detected Base64 Encoded probable java serialization in use
952110Java Errors
920271Invalid character in request (non printable characters)
921140HTTP Header Injection Attack via headers
932140Remote Command Execution: Windows FOR/IF Command Found
941180Node-Validator Blacklist Keywords
930130Restricted File Access Attempt
931130Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932106Remote Command Execution: Unix Command Injection
941230IE XSS Filters - Attack Detected.
911100Method is not allowed by policy
912120Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)
920202Range: Too many fields for pdf request (6 or more)
921130HTTP Response Splitting Attack
941270IE XSS Filters - Attack Detected.
941280IE XSS Filters - Attack Detected.
943110Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
951210maxDB SQL Information Leakage
4295003Enable Cpanel specific CRS exclusions
913102Found User-Agent associated with web crawler/bot
920400Uploaded file size too large
942290Finds basic MongoDB SQL injection attempts
942490Detects classic SQL injection probings 3/3
941110XSS Filter - Category 1: Script Tag Vector
941101XSS Attack Detected via libinjection
942330Detects classic SQL injection probings 1/3
942410SQL Injection Attack
920130Failed to parse request body.
920420Request content type is not allowed by policy
921160HTTP Header Injection Attack via payload (CR/LF and header-name detected)
933131PHP Injection Attack: Variables Found
944110Remote Command Execution: Java process spawn (CVE-2017-9805)
944200Magic bytes Detected probable java serialization in use
4295006Enable Xenforo specific CRS exclusions
920120Attempted multipart/form-data bypass
920460Abnormal character escapes in request
941320Possible XSS Attack Detected - HTML Tag Handler
942361Detects basic SQL injection based on keyword alter or union
910170HTTP Blacklist match for suspicious IP
932150Remote Command Execution: Direct Unix Command Execution
941240IE XSS Filters - Attack Detected.
942310Detects chained SQL injection attempts 2/2
941350UTF-7 Encoding IE XSS - Attack Detected.
951170hsqldb SQL Information Leakage
920170GET or HEAD Request with Body Content.
920370Argument value too long
920390Total arguments size exceeded
941100XSS Attack Detected via libinjection
4295004Enable Dokuwiki specific CRS exclusions
942160Detects blind sqli tests using sleep() or benchmark().
942130SQL Injection Attack: SQL Tautology Detected.
942200Detects MySQL comment-/space-obfuscated injections and backtick termination
942270Looking for basic sql injection. Common attack string for mysql oracle and others.
933100PHP Injection Attack: PHP Open Tag Found
933190PHP Injection Attack: PHP Closing Tag Found
942220Looking for integer overflow attacks these are taken from skipfish except 3.0.00738585072007e-308 is the \
942240Detects MySQL charset switch and MSSQL DoS attempts
951110Microsoft Access SQL Information Leakage
920250UTF8 Encoding Abuse Attack Attempt
933110PHP Injection Attack: PHP Script File Upload Found
933170PHP Injection Attack: Serialized Object Injection
942190Detects MSSQL code execution and information gathering attempts
944120Remote Command Execution: Java serialization (CVE-2015-5842)
951160Frontbase SQL Information Leakage
930110Path Traversal Attack (/../)
931110Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
932171Remote Command Execution: Shellshock (CVE-2014-6271)
942110SQL Injection Attack: Common Injection Testing Detected
920270Invalid character in request (null character)
921150HTTP Header Injection Attack via payload (CR/LF detected)
932120Remote Command Execution: Windows PowerShell Command Found
941330IE XSS Filters - Attack Detected.
942360Detects concatenated basic SQL injection and SQLLFI attempts
951190ingres SQL Information Leakage
913120Found request filename/argument associated with security scanner
920160Content-Length HTTP header is not numeric.
920180POST without Content-Length or Transfer-Encoding headers.
920121Attempted multipart/form-data bypass
951240postgres SQL Information Leakage
920200Range: Too many fields (6 or more)
920341Request Containing Content Requires Content-Type header
932105Remote Command Execution: Unix Command Injection
951150firebird SQL Information Leakage
951130DB2 SQL Information Leakage
951180informix SQL Information Leakage
920260Unicode Full/Half Width Abuse Attack Attempt
942390SQL Injection Attack
943100Possible Session Fixation Attack: Setting Cookie Values in HTML
944100Remote Command Execution: Suspicious Java class detected
920274Invalid character in request headers (outside of very strict set)
942230Detects conditional SQL injection attempts
950100The Application Returned a 500-Level Status Code
951140EMC SQL Information Leakage
954120IIS Information Leakage
913101Found User-Agent associated with scripting/generic HTTP client
933151PHP Injection Attack: Medium-Risk PHP Function Name Found
941200IE XSS Filters - Attack Detected.
942251Detects HAVING injections