1
# ---------------------------------------------------------------
2
# Core ModSecurity Rule Set ver.2.0.10
3
# Copyright (C) 2006-2010 Trustwave All rights reserved.
5
# The ModSecurity Core Rule Set is distributed under GPL version 2
6
# Please see the enclosed LICENCE file for full details.
7
# ---------------------------------------------------------------
11
# XSS Detection - Missing Output Encoding
13
SecAction "phase:1,nolog,pass,initcol:global=xss_list"
16
# Identifies Reflected XSS
17
# If malicious input (with Meta-Characters) is echoed back in the reply non-encoded.
19
SecRule &ARGS "@gt 0" "chain,phase:4,t:none,log,auditlog,deny,status:403,id:'1',msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'"
20
SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none"
21
SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}"
22
SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E"
25
# Check to see if TX XSS Data is already in the GLOBAL list. If it is - expire it.
26
SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,t:none,nolog,pass,skip:1"
27
SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}"
30
# Identifies Stored XSS
31
# If malicious input (with Meta-Characters) is echoed back on any page non-encoded.
32
SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"
35
# Identifies SessiondIDs without HTTPOnly flag
38
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,nolog,setvar:tx.sessionid=%{matched_var}"
40
SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
42
SecRule SERVER_PORT "@streq 443" "chain,phase:3,t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag.'"
43
SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_cookie=%{matched_var}"
45
SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "chain,phase:3,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly and Secure Cookie Flag.'"
46
SecRule SERVER_PORT "@streq 443" "chain,t:none"
47
SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_httponly_cookie=%{matched_var}"
49
Header set Set-Cookie "%{httponly_cookie}e; HTTPOnly" env=httponly_cookie
50
Header set Set-Cookie "%{secure_cookie}e; Secure" env=secure_cookie
51
Header set Set-Cookie "%{secure_httponly_cookie}e; Secure; HTTPOnly" env=secure_httponly_cookie