Zum Inhalt springen
Produkte
Plattform
Developer Tools
Portal

CDN WAF-Regelsammlung

Zuletzt aktualisiert am

Die Web Application Firewall von STACKIT CDN nutzt das OWASP Core Rule Set (CRS), um generischen Schutz gegen ein breites Spektrum von Angriffen zu bieten, einschließlich der OWASP Top 10, bei minimalen Fehlalarmen.

Regeln werden in Request-Regeln (Prüfung des eingehenden Traffics) und Response-Regeln (Prüfung des ausgehenden Traffics zur Verhinderung von Datenlecks) unterteilt.

OWASP CRS Request-Regeln

Abschnitt betitelt „OWASP CRS Request-Regeln“

Diese Regeln prüfen eingehende Client-Anfragen, um böswillige Absichten zu erkennen und zu blockieren, bevor sie Ihren Origin erreichen.

Regelgruppe: 911 – Method Enforcement

Abschnitt betitelt „Regelgruppe: 911 – Method Enforcement“

Erzwingt HTTP-Methoden-Richtlinien, um sicherzustellen, dass nur zugelassene Methoden (z. B. GET, POST) verwendet werden.

CodeRegel
911100Method is not allowed by policy

Regelgruppe: 913 – Scanner Detection

Abschnitt betitelt „Regelgruppe: 913 – Scanner Detection“

Identifiziert und blockiert bekannte Sicherheitstools, Schwachstellen-Scanner und Crawler.

CodeRegel
913100Found User-Agent associated with security scanner

Regelgruppe: 921 – Protocol Attack

Abschnitt betitelt „Regelgruppe: 921 – Protocol Attack“

Zielt auf Angriffe ab, die das HTTP-Protokoll ausnutzen, wie Request Smuggling und Header Injection.

CodeRegel
921110HTTP Request Smuggling Attack
921120HTTP Response Splitting Attack
921130HTTP Response Splitting Attack
921140HTTP Header Injection Attack via headers
921150HTTP Header Injection Attack via payload (CR/LF detected)
921160HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921190HTTP Splitting (CR/LF in request filename detected)
921200LDAP Injection Attack
921421Content-Type header: Dangerous content type outside the mime type declaration
921240mod_proxy attack attempt detected
921151HTTP Header Injection Attack via payload (CR/LF detected)
921422Content-Type header: Dangerous content type outside the mime type declaration
921230HTTP Range Header detected
921180HTTP Parameter Pollution (%\{TX.1\})
921210HTTP Parameter Pollution after detecting bogus char after parameter array
921220HTTP Parameter Pollution possible via array notation

Regelgruppe: 922 – Multipart Attack

Abschnitt betitelt „Regelgruppe: 922 – Multipart Attack“

Validiert multipart/form-data-Anfragen, die häufig für Datei-Uploads verwendet werden.

CodeRegel
922100Multipart content type global _charset_ definition is not allowed by policy
922110Illegal MIME Multipart Header content-type: charset parameter
922120Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used

Regelgruppe: 930 – Local File Inclusion (LFI)

Abschnitt betitelt „Regelgruppe: 930 – Local File Inclusion (LFI)“

Verhindert, dass Angreifer über Path Traversal auf sensible Dateien auf dem Server zugreifen.

CodeRegel
930100Path Traversal Attack (/../) or (/…/)
930110Path Traversal Attack (/../) or (/…/)
930120OS File Access Attempt
930130Restricted File Access Attempt
930121OS File Access Attempt in REQUEST_HEADERS

Regelgruppe: 931 – Remote File Inclusion (RFI)

Abschnitt betitelt „Regelgruppe: 931 – Remote File Inclusion (RFI)“

Blockiert Versuche, schädlichen Remote-Code innerhalb der Anwendung einzubinden und auszuführen.

CodeRegel
931100Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
931131Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

Regelgruppe: 932 – Remote Code Execution (RCE)

Abschnitt betitelt „Regelgruppe: 932 – Remote Code Execution (RCE)“

Schützt vor der Ausführung beliebiger Systembefehle (Unix/Windows-Shell) auf dem Origin-Server.

CodeRule
932230Remote Command Execution: Unix Command Injection (2-3 chars)
932235Remote Command Execution: Unix Command Injection (command without evasion)
932120Remote Command Execution: Windows PowerShell Command Found
932125Remote Command Execution: Windows Powershell Alias Command Injection
932130Remote Command Execution: Unix Shell Expression Found
932140Remote Command Execution: Windows FOR/IF Command Found
932250Remote Command Execution: Direct Unix Command Execution
932260Remote Command Execution: Direct Unix Command Execution
932330Remote Command Execution: Unix shell history invocation
932160Remote Command Execution: Unix Shell Code Found
932170Remote Command Execution: Shellshock (CVE-2014-6271)
932171Remote Command Execution: Shellshock (CVE-2014-6271)
932175Remote Command Execution: Unix shell alias invocation
932180Restricted File Upload Attempt
932370Remote Command Execution: Windows Command Injection
932380Remote Command Execution: Windows Command Injection
932231Remote Command Execution: Unix Command Injection
932131Remote Command Execution: Unix Shell Expression Found
932200RCE Bypass Technique
932205RCE Bypass Technique
932206RCE Bypass Technique
932220Remote Command Execution: Unix Command Injection with pipe
932240Remote Command Execution: Unix Command Injection evasion attempt detected
932210Remote Command Execution: SQLite System Command Execution
932300Remote Command Execution: SMTP Command Execution
932310Remote Command Execution: IMAP Command Execution
932320Remote Command Execution: POP3 Command Execution
932236Remote Command Execution: Unix Command Injection (command without evasion)
932239Remote Command Execution: Unix Command Injection found in user-agent or referer header
932161Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932232Remote Command Execution: Unix Command Injection
932237Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932238Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932190Remote Command Execution: Wildcard bypass technique attempt
932301Remote Command Execution: SMTP Command Execution
932311Remote Command Execution: IMAP Command Execution
932321Remote Command Execution: POP3 Command Execution
932331Remote Command Execution: Unix shell history invocation

Regelgruppe: 933 – PHP Injection

Abschnitt betitelt „Regelgruppe: 933 – PHP Injection“

Spezifische Schutzmaßnahmen für PHP-basierte Anwendungen, die auf Script-Injections und Konfigurationsänderungen abzielen.

CodeRule
933100PHP Injection Attack: PHP Open Tag Found
933110PHP Injection Attack: PHP Script File Upload Found
933120PHP Injection Attack: Configuration Directive Found
933130PHP Injection Attack: Variables Found
933140PHP Injection Attack: I/O Stream Found
933200PHP Injection Attack: Wrapper scheme detected
933150PHP Injection Attack: High-Risk PHP Function Name Found
933160PHP Injection Attack: High-Risk PHP Function Call Found
933170PHP Injection Attack: Serialized Object Injection
933180PHP Injection Attack: Variable Function Call Found
933210PHP Injection Attack: Variable Function Call Found
933151PHP Injection Attack: Medium-Risk PHP Function Name Found
933131PHP Injection Attack: Variables Found
933161PHP Injection Attack: Low-Value PHP Function Call Found
933111PHP Injection Attack: PHP Script File Upload Found
933190PHP Injection Attack: PHP Closing Tag Found
933211PHP Injection Attack: Variable Function Call Found

Regelgruppe: 934 – Generische Anwendungsangriffe

Abschnitt betitelt „Regelgruppe: 934 – Generische Anwendungsangriffe“

Deckt eine Vielzahl moderner Anwendungsangriffe ab, darunter Node.js-Injection, SSRF und Prototype Pollution.

CodeRule
934100Node.js Injection Attack 1/2
934110Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter
934130JavaScript Prototype Pollution
934150Ruby Injection Attack
934160Node.js DoS attack
934170PHP data scheme attack
934101Node.js Injection Attack 2/2
934120Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address
934140Perl Injection Attack
934100Node.js Injection Attack

Regelgruppe: 941 – Cross-Site Scripting (XSS)

Abschnitt betitelt „Regelgruppe: 941 – Cross-Site Scripting (XSS)“

Erkennt Skripte, die in Webseiten eingeschleust werden, um im Browser des Endbenutzers ausgeführt zu werden.

CodeRule
941100XSS Attack Detected via libinjection
941110XSS Filter - Category 1: Script Tag Vector
941130XSS Filter - Category 3: Attribute Vector
941140XSS Filter - Category 4: Javascript URI Vector
941160NoScript XSS InjectionChecker: HTML Injection
941170NoScript XSS InjectionChecker: Attribute Injection
941180Node-Validator Deny List Keywords
941190IE XSS Filters - Attack Detected
941200IE XSS Filters - Attack Detected
941210IE XSS Filters - Attack Detected
941220IE XSS Filters - Attack Detected
941230IE XSS Filters - Attack Detected
941240IE XSS Filters - Attack Detected
941250IE XSS Filters - Attack Detected
941260IE XSS Filters - Attack Detected
941270IE XSS Filters - Attack Detected
941280IE XSS Filters - Attack Detected
941290IE XSS Filters - Attack Detected
941300IE XSS Filters - Attack Detected
941310US-ASCII Malformed Encoding XSS Filter - Attack Detected
941350UTF-7 Encoding IE XSS - Attack Detected
941360JSFuck / Hieroglyphy obfuscation detected
941370JavaScript global variable found
941390Javascript method detected
941400XSS JavaScript function without parentheses
941101XSS Attack Detected via libinjection
941120XSS Filter - Category 2: Event Handler Vector
941150XSS Filter - Category 5: Disallowed HTML Attributes
941181Node-Validator Deny List Keywords
941320Possible XSS Attack Detected - HTML Tag Handler
941330IE XSS Filters - Attack Detected
941340IE XSS Filters - Attack Detected
941380AngularJS client side template injection detected

Regelgruppe: 942 – SQL Injection (SQLi)

Abschnitt betitelt „Regelgruppe: 942 – SQL Injection (SQLi)“

Umfassender Schutz gegen SQL-Injection-Versuche, einschließlich Blind SQLi und datenbankspezifischer Payloads.

CodeRule
942100SQL Injection Attack Detected via libinjection
942140SQL Injection Attack: Common DB Names Detected
942151SQL Injection Attack: SQL function name detected
942160Detects blind sqli tests using sleep() or benchmark()
942170Detects SQL benchmark and sleep injection attempts including conditional queries
942190Detects MSSQL code execution and information gathering attempts
942220Looking for integer overflow attacks, magic number crash
942230Detects conditional SQL injection attempts
942240Detects MySQL charset switch and MSSQL DoS attempts
942250Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942270Looking for basic SQL injection. Common attack string for mysql, oracle and others
942280Detects Postgres pg_sleep injection, waitfor delay attacks
942290Finds basic MongoDB SQL injection attempts
942320Detects MySQL and PostgreSQL stored procedure/function injections
942350Detects MySQL UDF injection and other data/structure manipulation attempts
942360Detects concatenated basic SQL injection and SQLLFI attempts
942500MySQL in-line comment detected
942540SQL Authentication bypass (split query)
942560MySQL Scientific Notation payload detected
942550JSON-Based SQL Injection
942120SQL Injection Attack: SQL Operator Detected
942130SQL Injection Attack: SQL Boolean-based attack detected
942131SQL Injection Attack: SQL Boolean-based attack detected
942150SQL Injection Attack: SQL function name detected
942180Detects basic SQL authentication bypass attempts 1/3
942200Detects MySQL comment-/space-obfuscated injections and backtick termination
942210Detects chained SQL injection attempts 1/2
942260Detects basic SQL authentication bypass attempts 2/3
942300Detects MySQL comments, conditions and ch(a)r injections
942310Detects chained SQL injection attempts 2/2
942330Detects classic SQL injection probings 1/3
942340Detects basic SQL authentication bypass attempts 3/3
942361Detects basic SQL injection based on keyword alter or union
942362Detects concatenated basic SQL injection and SQLLFI attempts
942370Detects classic SQL injection probings 2/3
942380SQL Injection Attack
942390SQL Injection Attack
942400SQL Injection Attack
942410SQL Injection Attack
942470SQL Injection Attack
942480SQL Injection Attack
942430Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440SQL Comment Sequence Detected
942450SQL Hex Encoding Identified
942510SQLi bypass attempt by ticks or backticks detected
942520Detects basic SQL authentication bypass attempts 4.0/4
942521Detects basic SQL authentication bypass attempts 4.1/4
942522Detects basic SQL authentication bypass attempts 4.1/4
942101SQL Injection Attack Detected via libinjection
942152SQL Injection Attack: SQL function name detected
942321Detects MySQL and PostgreSQL stored procedure/function injections
942251Detects HAVING injections
942490Detects classic SQL injection probings 3/3
942420Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942431Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942460Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942511SQLi bypass attempt by ticks detected
942530SQLi query termination detected
942421Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)

Regelgruppe: 943 – Session Fixation

Abschnitt betitelt „Regelgruppe: 943 – Session Fixation“

Verhindert, dass Angreifer Benutzersitzungen kapern, indem sie eine bekannte Session-ID erzwingen.

CodeRule
943100Possible Session Fixation Attack: Setting Cookie Values in HTML
943110Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120Possible Session Fixation Attack: SessionID Parameter Name with No Referer

Regelgruppe: 944 – Java Injection

Abschnitt betitelt „Regelgruppe: 944 – Java Injection“

Zielt auf Java-spezifische Schwachstellen ab, einschließlich Serialisierungsangriffe und Log4shell.

CodeRule
944100Remote Command Execution: Suspicious Java class detected
944110Remote Command Execution: Java process spawn (CVE-2017-9805)
944120Remote Command Execution: Java serialization (CVE-2015-4852)
944130Suspicious Java class detected
944140Java Injection Attack: Java Script File Upload Found
944150Potential Remote Command Execution: Log4j / Log4shell
944151Potential Remote Command Execution: Log4j / Log4shell
944200Magic bytes Detected, probable java serialization in use
944210Magic bytes Detected Base64 Encoded, probable java serialization in use
944240Remote Command Execution: Java serialization (CVE-2015-4852)
944250Remote Command Execution: Suspicious Java method detected
944260Remote Command Execution: Malicious class-loading payload
944300Base64 encoded string matched suspicious keyword
944152Potential Remote Command Execution: Log4j / Log4shell

OWASP CRS Response-Regeln

Abschnitt betitelt „OWASP CRS Response-Regeln“

Diese Regeln prüfen den ausgehenden Traffic von Ihrem Origin, um zu verhindern, dass sensible Informationen an Benutzer oder Angreifer weitergegeben werden.

Regelgruppe: 950 – Allgemeine Datenlecks

Abschnitt betitelt „Regelgruppe: 950 – Allgemeine Datenlecks“

Blockiert Antworten, die Verzeichnislisten, Quellcode oder Anwendungsfehlermeldungen enthalten.

CodeRule
950130Directory Listing
950140CGI source code leakage
950100The Application Returned a 500-Level Status Code

Regelgruppe: 951 – Datenbank-Informationslecks

Abschnitt betitelt „Regelgruppe: 951 – Datenbank-Informationslecks“

Verhindert, dass datenbankspezifische Fehlermeldungen Ihre Backend-Architektur offenlegen.

CodeRule
951110Microsoft Access SQL Information Leakage
951120Oracle SQL Information Leakage
951130DB2 SQL Information Leakage
951140EMC SQL Information Leakage
951150firebird SQL Information Leakage
951160Frontbase SQL Information Leakage
951170hsqldb SQL Information Leakage
951180informix SQL Information Leakage
951190ingres SQL Information Leakage
951200interbase SQL Information Leakage
951210maxDB SQL Information Leakage
951220mssql SQL Information Leakage
951230mysql SQL Information Leakage
951240postgres SQL Information Leakage
951250sqlite SQL Information Leakage
951260Sybase SQL Information Leakage

Regelgruppe: 952 – Java-Informationslecks

Abschnitt betitelt „Regelgruppe: 952 – Java-Informationslecks“

Blockiert die Offenlegung von Java-Quellcode oder Stack Traces.

CodeRule
952100Java Source Code Leakage
952110Java Errors

Regelgruppe: 953 – PHP-Informationslecks

Abschnitt betitelt „Regelgruppe: 953 – PHP-Informationslecks“

Verhindert die Offenlegung von PHP-Quellcode oder internen Informationen.

CodeRule
953100PHP Information Leakage
953110PHP source code leakage
953120PHP source code leakage
953101PHP Information Leakage

Regelgruppe: 954 – IIS-Informationslecks

Abschnitt betitelt „Regelgruppe: 954 – IIS-Informationslecks“

Zielt auf Informationsoffenlegungen ab, die spezifisch für Microsoft Internet Information Services (IIS) sind.

CodeRule
954100Disclosure of IIS install location
954110Application Availability Error
954120IIS Information Leakage
954130IIS Information Leakage

Regelgruppe: 955 – Web Shells

Abschnitt betitelt „Regelgruppe: 955 – Web Shells“

Erkennt Muster, die mit gängigen Web Shells (Backdoors) verbunden sind und Remote-Administration ermöglichen.

CodeRule
955100Web shell detected
955110r57 web shell
955120WSO web shell
955130b4tm4n web shell
955140Mini Shell web shell
955150Ashiyane web shell
955160Symlink_Sa web shell
955170CasuS web shell
955180GRP WebShell
955190NGHshell web shell
955200SimAttacker web shell
955210Unknown web shell
955220lama’s’hell web shell
955230lostDC web shell
955240Unknown web shell
955250Unknown web shell
955260Ru24PostWebShell web shell
955270s72 Shell web shell
955280PhpSpy web shell
955290g00nshell web shell
955300PuNkHoLic shell web shell
955310azrail web shell
955320SmEvK_PaThAn Shell web shell
955330Shell I web shell
955340b374k m1n1 web shell
955350webadmin.php file manager