​
Select Service
WAF Core Rules Reference
Published April 5, 2023 | Last modified October 31, 2024
Core Rule Set Reference
The following table presents the rules of the WAF Core Rule Set (CRS) as defined in the OWASP CRS:
Rule ID | Rule Description |
---|---|
910000 | Request from Known Malicious Client (Based on previous traffic violations). |
910100 | Client IP is from a HIGH Risk Country Location. |
910150 | HTTP Blacklist match for search engine IP |
910160 | HTTP Blacklist match for spammer IP |
910170 | HTTP Blacklist match for suspicious IP |
910180 | HTTP Blacklist match for harvester IP |
911100 | Method is not allowed by policy |
912120 | Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert) |
913100 | Found User-Agent associated with security scanner |
913101 | Found User-Agent associated with scripting/generic HTTP client |
913102 | Found User-Agent associated with web crawler/bot |
913110 | Found request header associated with security scanner |
913120 | Found request filename/argument associated with security scanner |
920100 | Invalid HTTP Request Line |
920120 | Attempted multipart/form-data bypass |
920121 | Attempted multipart/form-data bypass |
920130 | Failed to parse request body. |
920140 | Multipart request body failed strict validation:PE %{REQBODY_PROCESSOR_ERROR},BQ %{MULTIPART_BOUNDARY_QUOTED},BW %{MULTIPART_BOUNDARY_WHITESPACE},DB %{MULTIPART_DATA_BEFORE},DA %{MULTIPART_DATA_AFTER},HF %{MULTIPART_HEADER_FOLDING},LF %{MULTIPART_LF_LINE},SM %{MULTIPART_MISSING_SEMICOLON},IQ %{MULTIPART_INVALID_QUOTING},IH %{MULTIPART_INVALID_HEADER_FOLDING},FLE %{MULTIPART_FILE_LIMIT_EXCEEDED} |
920160 | Content-Length HTTP header is not numeric. |
920170 | GET or HEAD Request with Body Content. |
920171 | GET or HEAD Request with Transfer-Encoding. |
920180 | POST without Content-Length or Transfer-Encoding headers. |
920190 | Range: Invalid Last Byte Value. |
920200 | Range: Too many fields (6 or more) |
920201 | Range: Too many fields for pdf request (63 or more) |
920202 | Range: Too many fields for pdf request (6 or more) |
920210 | Multiple/Conflicting Connection Header Data Found. |
920220 | URL Encoding Abuse Attack Attempt |
920230 | Multiple URL Encoding Detected |
920240 | URL Encoding Abuse Attack Attempt |
920250 | UTF8 Encoding Abuse Attack Attempt |
920260 | Unicode Full/Half Width Abuse Attack Attempt |
920270 | Invalid character in request (null character) |
920271 | Invalid character in request (non printable characters) |
920272 | Invalid character in request (outside of printable chars below ascii 127) |
920273 | Invalid character in request (outside of very strict set) |
920274 | Invalid character in request headers (outside of very strict set) |
920341 | Request Containing Content Requires Content-Type header |
920350 | Host header is a numeric IP address |
920360 | Argument name too long |
920370 | Argument value too long |
920380 | Too many arguments in request |
920390 | Total arguments size exceeded |
920400 | Uploaded file size too large |
920410 | Total uploaded files size too large |
920420 | Request content type is not allowed by policy |
920430 | HTTP protocol version is not allowed by policy |
920440 | URL file extension is restricted by policy |
920450 | HTTP header is restricted by policy (%{MATCHED_VAR}) |
920460 | Abnormal character escapes in request |
920470 | Illegal Content-Type header |
920480 | Request content type charset is not allowed by policy |
921110 | HTTP Request Smuggling Attack |
921120 | HTTP Response Splitting Attack |
921130 | HTTP Response Splitting Attack |
921140 | HTTP Header Injection Attack via headers |
921150 | HTTP Header Injection Attack via payload (CR/LF detected) |
921151 | HTTP Header Injection Attack via payload (CR/LF detected) |
921160 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
930100 | Path Traversal Attack (/../) |
930110 | Path Traversal Attack (/../) |
930120 | OS File Access Attempt |
930130 | Restricted File Access Attempt |
931100 | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
931110 | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
931120 | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
931130 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
932100 | Remote Command Execution: Unix Command Injection |
932105 | Remote Command Execution: Unix Command Injection |
932106 | Remote Command Execution: Unix Command Injection |
932110 | Remote Command Execution: Windows Command Injection |
932115 | Remote Command Execution: Windows Command Injection |
932120 | Remote Command Execution: Windows PowerShell Command Found |
932130 | Remote Command Execution: Unix Shell Expression Found |
932140 | Remote Command Execution: Windows FOR/IF Command Found |
932150 | Remote Command Execution: Direct Unix Command Execution |
932160 | Remote Command Execution: Unix Shell Code Found |
932170 | Remote Command Execution: Shellshock (CVE-2014-6271) |
932171 | Remote Command Execution: Shellshock (CVE-2014-6271) |
932180 | Restricted File Upload Attempt |
932190 | Remote Command Execution: Wildcard bypass technique attempt |
933100 | PHP Injection Attack: PHP Open Tag Found |
933110 | PHP Injection Attack: PHP Script File Upload Found |
933111 | PHP Injection Attack: PHP Script File Upload Found |
933120 | PHP Injection Attack: Configuration Directive Found |
933130 | PHP Injection Attack: Variables Found |
933131 | PHP Injection Attack: Variables Found |
933140 | PHP Injection Attack: I/O Stream Found |
933150 | PHP Injection Attack: High-Risk PHP Function Name Found |
933151 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
933160 | PHP Injection Attack: High-Risk PHP Function Call Found |
933161 | PHP Injection Attack: Low-Value PHP Function Call Found |
933170 | PHP Injection Attack: Serialized Object Injection |
933180 | PHP Injection Attack: Variable Function Call Found |
933190 | PHP Injection Attack: PHP Closing Tag Found |
941100 | XSS Attack Detected via libinjection |
941101 | XSS Attack Detected via libinjection |
941110 | XSS Filter - Category 1: Script Tag Vector |
941120 | XSS Filter - Category 2: Event Handler Vector |
941130 | XSS Filter - Category 3: Attribute Vector |
941140 | XSS Filter - Category 4: Javascript URI Vector |
941150 | XSS Filter - Category 5: Disallowed HTML Attributes |
941160 | NoScript XSS InjectionChecker: HTML Injection |
941170 | NoScript XSS InjectionChecker: Attribute Injection |
941180 | Node-Validator Blacklist Keywords |
941190 | IE XSS Filters - Attack Detected. |
941200 | IE XSS Filters - Attack Detected. |
941210 | IE XSS Filters - Attack Detected. |
941220 | IE XSS Filters - Attack Detected. |
941230 | IE XSS Filters - Attack Detected. |
941240 | IE XSS Filters - Attack Detected. |
941250 | IE XSS Filters - Attack Detected. |
941260 | IE XSS Filters - Attack Detected. |
941270 | IE XSS Filters - Attack Detected. |
941280 | IE XSS Filters - Attack Detected. |
941290 | IE XSS Filters - Attack Detected. |
941300 | IE XSS Filters - Attack Detected. |
941310 | US-ASCII Malformed Encoding XSS Filter - Attack Detected. |
941320 | Possible XSS Attack Detected - HTML Tag Handler |
941330 | IE XSS Filters - Attack Detected. |
941340 | IE XSS Filters - Attack Detected. |
941350 | UTF-7 Encoding IE XSS - Attack Detected. |
942100 | SQL Injection Attack Detected via libinjection |
942110 | SQL Injection Attack: Common Injection Testing Detected |
942120 | SQL Injection Attack: SQL Operator Detected |
942130 | SQL Injection Attack: SQL Tautology Detected. |
942140 | SQL Injection Attack: Common DB Names Detected |
942150 | SQL Injection Attack |
942160 | Detects blind sqli tests using sleep() or benchmark(). |
942170 | Detects SQL benchmark and sleep injection attempts including conditional queries |
942180 | Detects basic SQL authentication bypass attempts 1/3 |
942190 | Detects MSSQL code execution and information gathering attempts |
942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
942210 | Detects chained SQL injection attempts 1/2 |
942220 | Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \ |
942230 | Detects conditional SQL injection attempts |
942240 | Detects MySQL charset switch and MSSQL DoS attempts |
942250 | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
942251 | Detects HAVING injections |
942260 | Detects basic SQL authentication bypass attempts 2/3 |
942270 | Looking for basic sql injection. Common attack string for mysql, oracle and others. |
942280 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
942290 | Finds basic MongoDB SQL injection attempts |
942300 | Detects MySQL comments, conditions and ch(a)r injections |
942310 | Detects chained SQL injection attempts 2/2 |
942320 | Detects MySQL and PostgreSQL stored procedure/function injections |
942330 | Detects classic SQL injection probings 1/3 |
942340 | Detects basic SQL authentication bypass attempts 3/3 |
942350 | Detects MySQL UDF injection and other data/structure manipulation attempts |
942360 | Detects concatenated basic SQL injection and SQLLFI attempts |
942361 | Detects basic SQL injection based on keyword alter or union |
942370 | Detects classic SQL injection probings 2/3 |
942380 | SQL Injection Attack |
942390 | SQL Injection Attack |
942400 | SQL Injection Attack |
942410 | SQL Injection Attack |
942420 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
942421 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
942431 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
942432 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
942440 | SQL Comment Sequence Detected. |
942450 | SQL Hex Encoding Identified |
942460 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
942470 | SQL Injection Attack |
942480 | SQL Injection Attack |
942490 | Detects classic SQL injection probings 3/3 |
943100 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
943110 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
943120 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
944100 | Remote Command Execution: Suspicious Java class detected |
944110 | Remote Command Execution: Java process spawn (CVE-2017-9805) |
944120 | Remote Command Execution: Java serialization (CVE-2015-5842) |
944130 | Suspicious Java class detected |
944200 | Magic bytes Detected, probable java serialization in use |
944210 | Magic bytes Detected Base64 Encoded, probable java serialization in use |
944240 | Remote Command Execution: Java serialization (CVE-2015-5842) |
944250 | Remote Command Execution: Suspicious Java method detected |
944300 | Base64 encoded string matched suspicious keyword |
950100 | The Application Returned a 500-Level Status Code |
950130 | Directory Listing |
951110 | Microsoft Access SQL Information Leakage |
951120 | Oracle SQL Information Leakage |
951130 | DB2 SQL Information Leakage |
951140 | EMC SQL Information Leakage |
951150 | firebird SQL Information Leakage |
951160 | Frontbase SQL Information Leakage |
951170 | hsqldb SQL Information Leakage |
951180 | informix SQL Information Leakage |
951190 | ingres SQL Information Leakage |
951200 | interbase SQL Information Leakage |
951210 | maxDB SQL Information Leakage |
951220 | mssql SQL Information Leakage |
951230 | mysql SQL Information Leakage |
951240 | postgres SQL Information Leakage |
951250 | sqlite SQL Information Leakage |
951260 | Sybase SQL Information Leakage |
952100 | Java Source Code Leakage |
952110 | Java Errors |
953100 | PHP Information Leakage |
953110 | PHP source code leakage |
953120 | PHP source code leakage |
954100 | Disclosure of IIS install location |
954110 | Application Availability Error |
954120 | IIS Information Leakage |
954130 | IIS Information Leakage |
4295001 | Enable Drupal specific CRS exclusions |
4295002 | Enable Wordpress specific CRS exclusions |
4295003 | Enable Cpanel specific CRS exclusions |
4295004 | Enable Dokuwiki specific CRS exclusions |
4295005 | Enable Nextcloud specific CRS exclusions |
4295006 | Enable Xenforo specific CRS exclusions |