Skip to content
Products
Platform
Developer Tools
Portal

Edge rules

This page lists the edge rules implemented in STACKIT Content Delivery Network (CDN) Web Application Firewall (WAF).

Rule collection - OWASP CRS request

Section titled “Rule collection - OWASP CRS request”

Rule group: 911 - Method enforcement

Section titled “Rule group: 911 - Method enforcement”
CodeRule
911100Method is not allowed by policy

Rule group: 913 - Scanner detection

Section titled “Rule group: 913 - Scanner detection”

These rules focus on detecting security tools and scanners.

CodeRule
913100Found user-agent associated with security scanner

Rule group: 922 - Multipart attack

Section titled “Rule group: 922 - Multipart attack”
CodeRule
922100Multipart content type global _charset_ definition is not allowed by policy
922110Illegal MIME multipart header content-type: charset parameter
922120Content-Transfer-Encoding was deprecated by RFC 7578 in 2015 and should not be used

Rule group: 921 - Protocol attack

Section titled “Rule group: 921 - Protocol attack”

The rules in this table target specific attacks on the HTTP protocol, such as HTTP request smuggling and response splitting.

CodeRule
921110HTTP Request Smuggling Attack
921120HTTP Response Splitting Attack
921130HTTP Response Splitting Attack
921140HTTP Header Injection Attack via headers
921150HTTP Header Injection Attack via payload (CR/LF detected)
921160HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921190HTTP Splitting (CR/LF in request filename detected)
921200LDAP Injection Attack
921421Content-Type header: Dangerous content type outside the mime type declaration
921240mod_proxy attack attempt detected
921151HTTP Header Injection Attack via payload (CR/LF detected)
921422Content-Type header: Dangerous content type outside the mime type declaration
921230HTTP Range Header detected
921180HTTP Parameter Pollution ( %{TX.1} )
921210HTTP Parameter Pollution after detecting bogus char after parameter array
921220HTTP Parameter Pollution possible via array notation

Rule group: 930 - Application attack LFI

Section titled “Rule group: 930 - Application attack LFI”

These rules detect attempts to include files that are local to the web server and should not be accessible to users. Exploiting this type of attack can compromise the web application or server.

CodeRule
930100Path Traversal Attack (/../) or (/…/)
930110Path Traversal Attack (/../) or (/…/)
930120OS File Access Attempt
930130Restricted File Access Attempt
930121OS File Access Attempt in REQUEST_HEADERS

Rule group: 931 - Application attack RFI

Section titled “Rule group: 931 - Application attack RFI”

These rules detect attempts to include remote resources in the web application that may be executed. Exploiting this type of attack can compromise the web application or server.

CodeRule
931100Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character
931130Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
931131Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

Rule group: 932 - Application attack RCE

Section titled “Rule group: 932 - Application attack RCE”
CodeRule
932230Remote Command Execution: Unix Command Injection (2-3 chars)
932235Remote Command Execution: Unix Command Injection (command without evasion)
932120Remote Command Execution: Windows PowerShell Command Found
932125Remote Command Execution: Windows Powershell Alias Command Injection
932130Remote Command Execution: Unix Shell Expression Found
932140Remote Command Execution: Windows FOR/IF Command Found
932250Remote Command Execution: Direct Unix Command Execution
932260Remote Command Execution: Direct Unix Command Execution
932330Remote Command Execution: Unix shell history invocation
932160Remote Command Execution: Unix Shell Code Found
932170Remote Command Execution: Shellshock (CVE-2014-6271)
932171Remote Command Execution: Shellshock (CVE-2014-6271)
932175Remote Command Execution: Unix shell alias invocation
932180Restricted File Upload Attempt
932370Remote Command Execution: Windows Command Injection
932380Remote Command Execution: Windows Command Injection
932231Remote Command Execution: Unix Command Injection
932131Remote Command Execution: Unix Shell Expression Found
932200RCE Bypass Technique
932205RCE Bypass Technique
932206RCE Bypass Technique
932220Remote Command Execution: Unix Command Injection with pipe
932240Remote Command Execution: Unix Command Injection evasion attempt detected
932210Remote Command Execution: SQLite System Command Execution
932300Remote Command Execution: SMTP Command Execution
932310Remote Command Execution: IMAP Command Execution
932320Remote Command Execution: POP3 Command Execution
932236Remote Command Execution: Unix Command Injection (command without evasion)
932239Remote Command Execution: Unix Command Injection found in user-agent or referer header
932161Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932232Remote Command Execution: Unix Command Injection
932237Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932238Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932190Remote Command Execution: Wildcard bypass technique attempt
932301Remote Command Execution: SMTP Command Execution
932311Remote Command Execution: IMAP Command Execution
932321Remote Command Execution: POP3 Command Execution
932331Remote Command Execution: Unix shell history invocation

Rule group: 933 - Application attack PHP

Section titled “Rule group: 933 - Application attack PHP”
CodeRule
933100PHP Injection Attack: PHP Open Tag Found
933110PHP Injection Attack: PHP Script File Upload Found
933120PHP Injection Attack: Configuration Directive Found
933130PHP Injection Attack: Variables Found
933140PHP Injection Attack: I/O Stream Found
933200PHP Injection Attack: Wrapper scheme detected
933150PHP Injection Attack: High-Risk PHP Function Name Found
933160PHP Injection Attack: High-Risk PHP Function Call Found
933170PHP Injection Attack: Serialized Object Injection
933180PHP Injection Attack: Variable Function Call Found
933210PHP Injection Attack: Variable Function Call Found
933151PHP Injection Attack: Medium-Risk PHP Function Name Found
933131PHP Injection Attack: Variables Found
933161PHP Injection Attack: Low-Value PHP Function Call Found
933111PHP Injection Attack: PHP Script File Upload Found
933190PHP Injection Attack: PHP Closing Tag Found
933211PHP Injection Attack: Variable Function Call Found

Rule group: 934 - Application attack GENERIC

Section titled “Rule group: 934 - Application attack GENERIC”
CodeRule
934100Node.js Injection Attack 1/2
934110Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter
934130JavaScript Prototype Pollution
934150Ruby Injection Attack
934160Node.js DoS attack
934170PHP data scheme attack
934101Node.js Injection Attack 2/2
934120Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address
934140Perl Injection Attack
934100Node.js Injection Attack

Rule group: 941 - Application attack XSS

Section titled “Rule group: 941 - Application attack XSS”
CodeRule
941100XSS Attack Detected via libinjection
941110XSS Filter - Category 1: Script Tag Vector
941130XSS Filter - Category 3: Attribute Vector
941140XSS Filter - Category 4: Javascript URI Vector
941160NoScript XSS InjectionChecker: HTML Injection
941170NoScript XSS InjectionChecker: Attribute Injection
941180Node-Validator Deny List Keywords
941190IE XSS Filters - Attack Detected
941200IE XSS Filters - Attack Detected
941210IE XSS Filters - Attack Detected
941220IE XSS Filters - Attack Detected
941230IE XSS Filters - Attack Detected
941240IE XSS Filters - Attack Detected
941250IE XSS Filters - Attack Detected
941260IE XSS Filters - Attack Detected
941270IE XSS Filters - Attack Detected
941280IE XSS Filters - Attack Detected
941290IE XSS Filters - Attack Detected
941300IE XSS Filters - Attack Detected
941310US-ASCII Malformed Encoding XSS Filter - Attack Detected
941350UTF-7 Encoding IE XSS - Attack Detected
941360JSFuck / Hieroglyphy obfuscation detected
941370JavaScript global variable found
941390Javascript method detected
941400XSS JavaScript function without parentheses
941101XSS Attack Detected via libinjection
941120XSS Filter - Category 2: Event Handler Vector
941150XSS Filter - Category 5: Disallowed HTML Attributes
941181Node-Validator Deny List Keywords
941320Possible XSS Attack Detected - HTML Tag Handler
941330IE XSS Filters - Attack Detected
941340IE XSS Filters - Attack Detected
941380AngularJS client side template injection detected

Rule group: 942 - Application attack SQL injection

Section titled “Rule group: 942 - Application attack SQL injection”

This table lists rules that protect against SQL injection (SQLi) attacks. SQL injection occurs when an attacker sends specially crafted control characters to parameters intended for data only. The application then passes these characters to the database, which can alter the intended meaning of the SQL query.

CodeRule
942100SQL Injection Attack Detected via libinjection
942140SQL Injection Attack: Common DB Names Detected
942151SQL Injection Attack: SQL function name detected
942160Detects blind sqli tests using sleep() or benchmark()
942170Detects SQL benchmark and sleep injection attempts including conditional queries
942190Detects MSSQL code execution and information gathering attempts
942220Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the “magic number” crash
942230Detects conditional SQL injection attempts
942240Detects MySQL charset switch and MSSQL DoS attempts
942250Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942270Looking for basic sql injection. Common attack string for mysql, oracle and others
942280Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290Finds basic MongoDB SQL injection attempts
942320Detects MySQL and PostgreSQL stored procedure/function injections
942350Detects MySQL UDF injection and other data/structure manipulation attempts
942360Detects concatenated basic SQL injection and SQLLFI attempts
942500MySQL in-line comment detected
942540SQL Authentication bypass (split query)
942560MySQL Scientific Notation payload detected
942550JSON-Based SQL Injection
942120SQL Injection Attack: SQL Operator Detected
942130SQL Injection Attack: SQL Boolean-based attack detected
942131SQL Injection Attack: SQL Boolean-based attack detected
942150SQL Injection Attack: SQL function name detected
942180Detects basic SQL authentication bypass attempts 1/3
942200Detects MySQL comment-/space-obfuscated injections and backtick termination
942210Detects chained SQL injection attempts 1/2
942260Detects basic SQL authentication bypass attempts 2/3
942300Detects MySQL comments, conditions and ch(a)r injections
942310Detects chained SQL injection attempts 2/2
942330Detects classic SQL injection probings 1/3
942340Detects basic SQL authentication bypass attempts 3/3
942361Detects basic SQL injection based on keyword alter or union
942362Detects concatenated basic SQL injection and SQLLFI attempts
942370Detects classic SQL injection probings 2/3
942380SQL Injection Attack
942390SQL Injection Attack
942400SQL Injection Attack
942410SQL Injection Attack
942470SQL Injection Attack
942480SQL Injection Attack
942430Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440SQL Comment Sequence Detected
942450SQL Hex Encoding Identified
942510SQLi bypass attempt by ticks or backticks detected
942520Detects basic SQL authentication bypass attempts 4.0/4
942521Detects basic SQL authentication bypass attempts 4.1/4
942522Detects basic SQL authentication bypass attempts 4.1/4
942101SQL Injection Attack Detected via libinjection
942152SQL Injection Attack: SQL function name detected
942321Detects MySQL and PostgreSQL stored procedure/function injections
942251Detects HAVING injections
942490Detects classic SQL injection probings 3/3
942420Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942431Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942460Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942511SQLi bypass attempt by ticks detected
942530SQLi query termination detected
942421Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)

Rule group: 943 - Application attack session fixation

Section titled “Rule group: 943 - Application attack session fixation”

These rules protect against session fixation attacks.

CodeRule
943100Possible Session Fixation Attack: Setting Cookie Values in HTML
943110Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120Possible Session Fixation Attack: SessionID Parameter Name with No Referer

Rule group: 944 - Application attack Java

Section titled “Rule group: 944 - Application attack Java”
CodeRule
944100Remote Command Execution: Suspicious Java class detected
944110Remote Command Execution: Java process spawn (CVE-2017-9805)
944120Remote Command Execution: Java serialization (CVE-2015-4852)
944130Suspicious Java class detected
944140Java Injection Attack: Java Script File Upload Found
944150Potential Remote Command Execution: Log4j / Log4shell
944151Potential Remote Command Execution: Log4j / Log4shell
944200Magic bytes Detected, probable java serialization in use
944210Magic bytes Detected Base64 Encoded, probable java serialization in use
944240Remote Command Execution: Java serialization (CVE-2015-4852)
944250Remote Command Execution: Suspicious Java method detected
944260Remote Command Execution: Malicious class-loading payload
944300Base64 encoded string matched suspicious keyword
944152Potential Remote Command Execution: Log4j / Log4shell

Rule collection - OWASP CRS response

Section titled “Rule collection - OWASP CRS response”

Rule group: 950 - Data leakages

Section titled “Rule group: 950 - Data leakages”

These rules protect against general data leakages.

CodeRule
950130Directory Listing
950140CGI source code leakage
950100The Application Returned a 500-Level Status Code

Rule group: 951 - Data leakages SQL

Section titled “Rule group: 951 - Data leakages SQL”

These rules protect against data leakages from backend SQL servers, which often indicate the presence of SQL injection vulnerabilities.

CodeRule
951110Microsoft Access SQL Information Leakage
951120Oracle SQL Information Leakage
951130DB2 SQL Information Leakage
951140EMC SQL Information Leakage
951150firebird SQL Information Leakage
951160Frontbase SQL Information Leakage
951170hsqldb SQL Information Leakage
951180informix SQL Information Leakage
951190ingres SQL Information Leakage
951200interbase SQL Information Leakage
951210maxDB SQL Information Leakage
951220mssql SQL Information Leakage
951230mysql SQL Information Leakage
951240postgres SQL Information Leakage
951250sqlite SQL Information Leakage
951260Sybase SQL Information Leakage

Rule group: 952 - Data leakages Java

Section titled “Rule group: 952 - Data leakages Java”

These rules protect against data leakages caused by Java.

CodeRule
952100Java Source Code Leakage
952110Java Errors

Rule group: 953 - Data leakages PHP

Section titled “Rule group: 953 - Data leakages PHP”

These rules protect against data leakages caused by PHP.

CodeRule
953100PHP Information Leakage
953110PHP source code leakage
953120PHP source code leakage
953101PHP Information Leakage

Rule group: 954 - Data leakages IIS

Section titled “Rule group: 954 - Data leakages IIS”

These rules protect against data leakages caused by Microsoft IIS.

CodeRule
954100Disclosure of IIS install location
954110Application Availability Error
954120IIS Information Leakage
954130IIS Information Leakage

Rule group: 955 - Web shells

Section titled “Rule group: 955 - Web shells”
CodeRule
955100Web shell detected
955110r57 web shell
955120WSO web shell
955130b4tm4n web shell
955140Mini Shell web shell
955150Ashiyane web shell
955160Symlink_Sa web shell
955170CasuS web shell
955180GRP WebShell
955190NGHshell web shell
955200SimAttacker web shell
955210Unknown web shell
955220lama’s’hell web shell
955230lostDC web shell
955240Unknown web shell
955250Unknown web shell
955260Ru24PostWebShell web shell
955270s72 Shell web shell
955280PhpSpy web shell
955290g00nshell web shell
955300PuNkHoLic shell web shell
955310azrail web shell
955320SmEvK_PaThAn Shell web shell
955330Shell I web shell
955340b374k m1n1 web shell
955350webadmin.php file manager