​

WAF Core Rules Reference

Published April 5, 2023 | Last modified October 31, 2024

Core Rule Set Reference

The following table presents the rules of the WAF Core Rule Set (CRS) as defined in the OWASP CRS:

Rule IDRule Description
910000Request from Known Malicious Client (Based on previous traffic violations).
910100Client IP is from a HIGH Risk Country Location.
910150HTTP Blacklist match for search engine IP
910160HTTP Blacklist match for spammer IP
910170HTTP Blacklist match for suspicious IP
910180HTTP Blacklist match for harvester IP
911100Method is not allowed by policy
912120Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)
913100Found User-Agent associated with security scanner
913101Found User-Agent associated with scripting/generic HTTP client
913102Found User-Agent associated with web crawler/bot
913110Found request header associated with security scanner
913120Found request filename/argument associated with security scanner
920100Invalid HTTP Request Line
920120Attempted multipart/form-data bypass
920121Attempted multipart/form-data bypass
920130Failed to parse request body.
920140Multipart request body failed strict validation:PE %{REQBODY_PROCESSOR_ERROR},BQ %{MULTIPART_BOUNDARY_QUOTED},BW %{MULTIPART_BOUNDARY_WHITESPACE},DB %{MULTIPART_DATA_BEFORE},DA %{MULTIPART_DATA_AFTER},HF %{MULTIPART_HEADER_FOLDING},LF %{MULTIPART_LF_LINE},SM %{MULTIPART_MISSING_SEMICOLON},IQ %{MULTIPART_INVALID_QUOTING},IH %{MULTIPART_INVALID_HEADER_FOLDING},FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}
920160Content-Length HTTP header is not numeric.
920170GET or HEAD Request with Body Content.
920171GET or HEAD Request with Transfer-Encoding.
920180POST without Content-Length or Transfer-Encoding headers.
920190Range: Invalid Last Byte Value.
920200Range: Too many fields (6 or more)
920201Range: Too many fields for pdf request (63 or more)
920202Range: Too many fields for pdf request (6 or more)
920210Multiple/Conflicting Connection Header Data Found.
920220URL Encoding Abuse Attack Attempt
920230Multiple URL Encoding Detected
920240URL Encoding Abuse Attack Attempt
920250UTF8 Encoding Abuse Attack Attempt
920260Unicode Full/Half Width Abuse Attack Attempt
920270Invalid character in request (null character)
920271Invalid character in request (non printable characters)
920272Invalid character in request (outside of printable chars below ascii 127)
920273Invalid character in request (outside of very strict set)
920274Invalid character in request headers (outside of very strict set)
920341Request Containing Content Requires Content-Type header
920350Host header is a numeric IP address
920360Argument name too long
920370Argument value too long
920380Too many arguments in request
920390Total arguments size exceeded
920400Uploaded file size too large
920410Total uploaded files size too large
920420Request content type is not allowed by policy
920430HTTP protocol version is not allowed by policy
920440URL file extension is restricted by policy
920450HTTP header is restricted by policy (%{MATCHED_VAR})
920460Abnormal character escapes in request
920470Illegal Content-Type header
920480Request content type charset is not allowed by policy
921110HTTP Request Smuggling Attack
921120HTTP Response Splitting Attack
921130HTTP Response Splitting Attack
921140HTTP Header Injection Attack via headers
921150HTTP Header Injection Attack via payload (CR/LF detected)
921151HTTP Header Injection Attack via payload (CR/LF detected)
921160HTTP Header Injection Attack via payload (CR/LF and header-name detected)
930100Path Traversal Attack (/../)
930110Path Traversal Attack (/../)
930120OS File Access Attempt
930130Restricted File Access Attempt
931100Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932100Remote Command Execution: Unix Command Injection
932105Remote Command Execution: Unix Command Injection
932106Remote Command Execution: Unix Command Injection
932110Remote Command Execution: Windows Command Injection
932115Remote Command Execution: Windows Command Injection
932120Remote Command Execution: Windows PowerShell Command Found
932130Remote Command Execution: Unix Shell Expression Found
932140Remote Command Execution: Windows FOR/IF Command Found
932150Remote Command Execution: Direct Unix Command Execution
932160Remote Command Execution: Unix Shell Code Found
932170Remote Command Execution: Shellshock (CVE-2014-6271)
932171Remote Command Execution: Shellshock (CVE-2014-6271)
932180Restricted File Upload Attempt
932190Remote Command Execution: Wildcard bypass technique attempt
933100PHP Injection Attack: PHP Open Tag Found
933110PHP Injection Attack: PHP Script File Upload Found
933111PHP Injection Attack: PHP Script File Upload Found
933120PHP Injection Attack: Configuration Directive Found
933130PHP Injection Attack: Variables Found
933131PHP Injection Attack: Variables Found
933140PHP Injection Attack: I/O Stream Found
933150PHP Injection Attack: High-Risk PHP Function Name Found
933151PHP Injection Attack: Medium-Risk PHP Function Name Found
933160PHP Injection Attack: High-Risk PHP Function Call Found
933161PHP Injection Attack: Low-Value PHP Function Call Found
933170PHP Injection Attack: Serialized Object Injection
933180PHP Injection Attack: Variable Function Call Found
933190PHP Injection Attack: PHP Closing Tag Found
941100XSS Attack Detected via libinjection
941101XSS Attack Detected via libinjection
941110XSS Filter - Category 1: Script Tag Vector
941120XSS Filter - Category 2: Event Handler Vector
941130XSS Filter - Category 3: Attribute Vector
941140XSS Filter - Category 4: Javascript URI Vector
941150XSS Filter - Category 5: Disallowed HTML Attributes
941160NoScript XSS InjectionChecker: HTML Injection
941170NoScript XSS InjectionChecker: Attribute Injection
941180Node-Validator Blacklist Keywords
941190IE XSS Filters - Attack Detected.
941200IE XSS Filters - Attack Detected.
941210IE XSS Filters - Attack Detected.
941220IE XSS Filters - Attack Detected.
941230IE XSS Filters - Attack Detected.
941240IE XSS Filters - Attack Detected.
941250IE XSS Filters - Attack Detected.
941260IE XSS Filters - Attack Detected.
941270IE XSS Filters - Attack Detected.
941280IE XSS Filters - Attack Detected.
941290IE XSS Filters - Attack Detected.
941300IE XSS Filters - Attack Detected.
941310US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320Possible XSS Attack Detected - HTML Tag Handler
941330IE XSS Filters - Attack Detected.
941340IE XSS Filters - Attack Detected.
941350UTF-7 Encoding IE XSS - Attack Detected.
942100SQL Injection Attack Detected via libinjection
942110SQL Injection Attack: Common Injection Testing Detected
942120SQL Injection Attack: SQL Operator Detected
942130SQL Injection Attack: SQL Tautology Detected.
942140SQL Injection Attack: Common DB Names Detected
942150SQL Injection Attack
942160Detects blind sqli tests using sleep() or benchmark().
942170Detects SQL benchmark and sleep injection attempts including conditional queries
942180Detects basic SQL authentication bypass attempts 1/3
942190Detects MSSQL code execution and information gathering attempts
942200Detects MySQL comment-/space-obfuscated injections and backtick termination
942210Detects chained SQL injection attempts 1/2
942220Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \
942230Detects conditional SQL injection attempts
942240Detects MySQL charset switch and MSSQL DoS attempts
942250Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251Detects HAVING injections
942260Detects basic SQL authentication bypass attempts 2/3
942270Looking for basic sql injection. Common attack string for mysql, oracle and others.
942280Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290Finds basic MongoDB SQL injection attempts
942300Detects MySQL comments, conditions and ch(a)r injections
942310Detects chained SQL injection attempts 2/2
942320Detects MySQL and PostgreSQL stored procedure/function injections
942330Detects classic SQL injection probings 1/3
942340Detects basic SQL authentication bypass attempts 3/3
942350Detects MySQL UDF injection and other data/structure manipulation attempts
942360Detects concatenated basic SQL injection and SQLLFI attempts
942361Detects basic SQL injection based on keyword alter or union
942370Detects classic SQL injection probings 2/3
942380SQL Injection Attack
942390SQL Injection Attack
942400SQL Injection Attack
942410SQL Injection Attack
942420Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440SQL Comment Sequence Detected.
942450SQL Hex Encoding Identified
942460Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942470SQL Injection Attack
942480SQL Injection Attack
942490Detects classic SQL injection probings 3/3
943100Possible Session Fixation Attack: Setting Cookie Values in HTML
943110Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120Possible Session Fixation Attack: SessionID Parameter Name with No Referer
944100Remote Command Execution: Suspicious Java class detected
944110Remote Command Execution: Java process spawn (CVE-2017-9805)
944120Remote Command Execution: Java serialization (CVE-2015-5842)
944130Suspicious Java class detected
944200Magic bytes Detected, probable java serialization in use
944210Magic bytes Detected Base64 Encoded, probable java serialization in use
944240Remote Command Execution: Java serialization (CVE-2015-5842)
944250Remote Command Execution: Suspicious Java method detected
944300Base64 encoded string matched suspicious keyword
950100The Application Returned a 500-Level Status Code
950130Directory Listing
951110Microsoft Access SQL Information Leakage
951120Oracle SQL Information Leakage
951130DB2 SQL Information Leakage
951140EMC SQL Information Leakage
951150firebird SQL Information Leakage
951160Frontbase SQL Information Leakage
951170hsqldb SQL Information Leakage
951180informix SQL Information Leakage
951190ingres SQL Information Leakage
951200interbase SQL Information Leakage
951210maxDB SQL Information Leakage
951220mssql SQL Information Leakage
951230mysql SQL Information Leakage
951240postgres SQL Information Leakage
951250sqlite SQL Information Leakage
951260Sybase SQL Information Leakage
952100Java Source Code Leakage
952110Java Errors
953100PHP Information Leakage
953110PHP source code leakage
953120PHP source code leakage
954100Disclosure of IIS install location
954110Application Availability Error
954120IIS Information Leakage
954130IIS Information Leakage
4295001Enable Drupal specific CRS exclusions
4295002Enable Wordpress specific CRS exclusions
4295003Enable Cpanel specific CRS exclusions
4295004Enable Dokuwiki specific CRS exclusions
4295005Enable Nextcloud specific CRS exclusions
4295006Enable Xenforo specific CRS exclusions
On this page: