Skip to content
Products
Platform
Developer Tools
Portal

WAF rule collection

Last updated on

The STACKIT Web Application Firewall (WAF) utilizes the OWASP Core Rule Set (CRS) to provide generic protection against a broad range of attacks, including the OWASP Top 10, with minimum false alerts.

Rules are categorized into request rules (inspecting incoming traffic) and response rules (inspecting outgoing traffic to prevent data leakage).

OWASP CRS request rules

Section titled “OWASP CRS request rules”

These rules inspect incoming client requests to identify and block malicious intent before it reaches your origin.

Rule group: 911 - Method Enforcement

Section titled “Rule group: 911 - Method Enforcement”

Enforces HTTP method policies to ensure only approved methods (e.g., GET, POST) are used.

CodeRule
911100Method is not allowed by policy

Rule group: 913 - Scanner Detection

Section titled “Rule group: 913 - Scanner Detection”

Identifies and blocks known security tools, vulnerability scanners, and crawlers.

CodeRule
913100Found User-Agent associated with security scanner

Rule group: 921 - Protocol Attack

Section titled “Rule group: 921 - Protocol Attack”

Targets attacks that exploit the HTTP protocol, such as request smuggling and header injection.

CodeRule
921110HTTP Request Smuggling Attack
921120HTTP Response Splitting Attack
921130HTTP Response Splitting Attack
921140HTTP Header Injection Attack via headers
921150HTTP Header Injection Attack via payload (CR/LF detected)
921160HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921190HTTP Splitting (CR/LF in request filename detected)
921200LDAP Injection Attack
921421Content-Type header: Dangerous content type outside the mime type declaration
921240mod_proxy attack attempt detected
921151HTTP Header Injection Attack via payload (CR/LF detected)
921422Content-Type header: Dangerous content type outside the mime type declaration
921230HTTP Range Header detected
921180HTTP Parameter Pollution (%\{TX.1\})
921210HTTP Parameter Pollution after detecting bogus char after parameter array
921220HTTP Parameter Pollution possible via array notation

Rule group: 922 - Multipart Attack

Section titled “Rule group: 922 - Multipart Attack”

Validates multipart/form-data requests, often used for file uploads.

CodeRule
922100Multipart content type global _charset_ definition is not allowed by policy
922110Illegal MIME Multipart Header content-type: charset parameter
922120Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used

Rule group: 930 - Local File Inclusion (LFI)

Section titled “Rule group: 930 - Local File Inclusion (LFI)”

Prevents attackers from accessing sensitive files on the server through path traversal.

CodeRule
930100Path Traversal Attack (/../) or (/…/)
930110Path Traversal Attack (/../) or (/…/)
930120OS File Access Attempt
930130Restricted File Access Attempt
930121OS File Access Attempt in REQUEST_HEADERS

Rule group: 931 - Remote File Inclusion (RFI)

Section titled “Rule group: 931 - Remote File Inclusion (RFI)”

Blocks attempts to include and execute remote malicious code within the application.

CodeRule
931100Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
931131Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

Rule group: 932 - Remote Code Execution (RCE)

Section titled “Rule group: 932 - Remote Code Execution (RCE)”

Protects against the execution of arbitrary system commands (Unix/Windows shell) on the origin server.

CodeRule
932230Remote Command Execution: Unix Command Injection (2-3 chars)
932235Remote Command Execution: Unix Command Injection (command without evasion)
932120Remote Command Execution: Windows PowerShell Command Found
932125Remote Command Execution: Windows Powershell Alias Command Injection
932130Remote Command Execution: Unix Shell Expression Found
932140Remote Command Execution: Windows FOR/IF Command Found
932250Remote Command Execution: Direct Unix Command Execution
932260Remote Command Execution: Direct Unix Command Execution
932330Remote Command Execution: Unix shell history invocation
932160Remote Command Execution: Unix Shell Code Found
932170Remote Command Execution: Shellshock (CVE-2014-6271)
932171Remote Command Execution: Shellshock (CVE-2014-6271)
932175Remote Command Execution: Unix shell alias invocation
932180Restricted File Upload Attempt
932370Remote Command Execution: Windows Command Injection
932380Remote Command Execution: Windows Command Injection
932231Remote Command Execution: Unix Command Injection
932131Remote Command Execution: Unix Shell Expression Found
932200RCE Bypass Technique
932205RCE Bypass Technique
932206RCE Bypass Technique
932220Remote Command Execution: Unix Command Injection with pipe
932240Remote Command Execution: Unix Command Injection evasion attempt detected
932210Remote Command Execution: SQLite System Command Execution
932300Remote Command Execution: SMTP Command Execution
932310Remote Command Execution: IMAP Command Execution
932320Remote Command Execution: POP3 Command Execution
932236Remote Command Execution: Unix Command Injection (command without evasion)
932239Remote Command Execution: Unix Command Injection found in user-agent or referer header
932161Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932232Remote Command Execution: Unix Command Injection
932237Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932238Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS
932190Remote Command Execution: Wildcard bypass technique attempt
932301Remote Command Execution: SMTP Command Execution
932311Remote Command Execution: IMAP Command Execution
932321Remote Command Execution: POP3 Command Execution
932331Remote Command Execution: Unix shell history invocation

Rule group: 933 - PHP Injection

Section titled “Rule group: 933 - PHP Injection”

Specific protections for PHP-based applications, targeting script injections and configuration changes.

CodeRule
933100PHP Injection Attack: PHP Open Tag Found
933110PHP Injection Attack: PHP Script File Upload Found
933120PHP Injection Attack: Configuration Directive Found
933130PHP Injection Attack: Variables Found
933140PHP Injection Attack: I/O Stream Found
933200PHP Injection Attack: Wrapper scheme detected
933150PHP Injection Attack: High-Risk PHP Function Name Found
933160PHP Injection Attack: High-Risk PHP Function Call Found
933170PHP Injection Attack: Serialized Object Injection
933180PHP Injection Attack: Variable Function Call Found
933210PHP Injection Attack: Variable Function Call Found
933151PHP Injection Attack: Medium-Risk PHP Function Name Found
933131PHP Injection Attack: Variables Found
933161PHP Injection Attack: Low-Value PHP Function Call Found
933111PHP Injection Attack: PHP Script File Upload Found
933190PHP Injection Attack: PHP Closing Tag Found
933211PHP Injection Attack: Variable Function Call Found

Rule group: 934 - Generic Application Attacks

Section titled “Rule group: 934 - Generic Application Attacks”

Covers a variety of modern application attacks including Node.js injection, SSRF, and Prototype Pollution.

CodeRule
934100Node.js Injection Attack 1/2
934110Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter
934130JavaScript Prototype Pollution
934150Ruby Injection Attack
934160Node.js DoS attack
934170PHP data scheme attack
934101Node.js Injection Attack 2/2
934120Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address
934140Perl Injection Attack
934100Node.js Injection Attack

Rule group: 941 - Cross-Site Scripting (XSS)

Section titled “Rule group: 941 - Cross-Site Scripting (XSS)”

Detects scripts injected into web pages to be executed by the end user’s browser.

CodeRule
941100XSS Attack Detected via libinjection
941110XSS Filter - Category 1: Script Tag Vector
941130XSS Filter - Category 3: Attribute Vector
941140XSS Filter - Category 4: Javascript URI Vector
941160NoScript XSS InjectionChecker: HTML Injection
941170NoScript XSS InjectionChecker: Attribute Injection
941180Node-Validator Deny List Keywords
941190IE XSS Filters - Attack Detected
941200IE XSS Filters - Attack Detected
941210IE XSS Filters - Attack Detected
941220IE XSS Filters - Attack Detected
941230IE XSS Filters - Attack Detected
941240IE XSS Filters - Attack Detected
941250IE XSS Filters - Attack Detected
941260IE XSS Filters - Attack Detected
941270IE XSS Filters - Attack Detected
941280IE XSS Filters - Attack Detected
941290IE XSS Filters - Attack Detected
941300IE XSS Filters - Attack Detected
941310US-ASCII Malformed Encoding XSS Filter - Attack Detected
941350UTF-7 Encoding IE XSS - Attack Detected
941360JSFuck / Hieroglyphy obfuscation detected
941370JavaScript global variable found
941390Javascript method detected
941400XSS JavaScript function without parentheses
941101XSS Attack Detected via libinjection
941120XSS Filter - Category 2: Event Handler Vector
941150XSS Filter - Category 5: Disallowed HTML Attributes
941181Node-Validator Deny List Keywords
941320Possible XSS Attack Detected - HTML Tag Handler
941330IE XSS Filters - Attack Detected
941340IE XSS Filters - Attack Detected
941380AngularJS client side template injection detected

Rule group: 942 - SQL Injection (SQLi)

Section titled “Rule group: 942 - SQL Injection (SQLi)”

Comprehensive protection against SQL injection attempts, including blind SQLi and DB-specific payloads.

CodeRule
942100SQL Injection Attack Detected via libinjection
942140SQL Injection Attack: Common DB Names Detected
942151SQL Injection Attack: SQL function name detected
942160Detects blind sqli tests using sleep() or benchmark()
942170Detects SQL benchmark and sleep injection attempts including conditional queries
942190Detects MSSQL code execution and information gathering attempts
942220Looking for integer overflow attacks, magic number crash
942230Detects conditional SQL injection attempts
942240Detects MySQL charset switch and MSSQL DoS attempts
942250Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942270Looking for basic SQL injection. Common attack string for mysql, oracle and others
942280Detects Postgres pg_sleep injection, waitfor delay attacks
942290Finds basic MongoDB SQL injection attempts
942320Detects MySQL and PostgreSQL stored procedure/function injections
942350Detects MySQL UDF injection and other data/structure manipulation attempts
942360Detects concatenated basic SQL injection and SQLLFI attempts
942500MySQL in-line comment detected
942540SQL Authentication bypass (split query)
942560MySQL Scientific Notation payload detected
942550JSON-Based SQL Injection
942120SQL Injection Attack: SQL Operator Detected
942130SQL Injection Attack: SQL Boolean-based attack detected
942131SQL Injection Attack: SQL Boolean-based attack detected
942150SQL Injection Attack: SQL function name detected
942180Detects basic SQL authentication bypass attempts 1/3
942200Detects MySQL comment-/space-obfuscated injections and backtick termination
942210Detects chained SQL injection attempts 1/2
942260Detects basic SQL authentication bypass attempts 2/3
942300Detects MySQL comments, conditions and ch(a)r injections
942310Detects chained SQL injection attempts 2/2
942330Detects classic SQL injection probings 1/3
942340Detects basic SQL authentication bypass attempts 3/3
942361Detects basic SQL injection based on keyword alter or union
942362Detects concatenated basic SQL injection and SQLLFI attempts
942370Detects classic SQL injection probings 2/3
942380SQL Injection Attack
942390SQL Injection Attack
942400SQL Injection Attack
942410SQL Injection Attack
942470SQL Injection Attack
942480SQL Injection Attack
942430Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440SQL Comment Sequence Detected
942450SQL Hex Encoding Identified
942510SQLi bypass attempt by ticks or backticks detected
942520Detects basic SQL authentication bypass attempts 4.0/4
942521Detects basic SQL authentication bypass attempts 4.1/4
942522Detects basic SQL authentication bypass attempts 4.1/4
942101SQL Injection Attack Detected via libinjection
942152SQL Injection Attack: SQL function name detected
942321Detects MySQL and PostgreSQL stored procedure/function injections
942251Detects HAVING injections
942490Detects classic SQL injection probings 3/3
942420Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942431Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942460Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942511SQLi bypass attempt by ticks detected
942530SQLi query termination detected
942421Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)

Rule group: 943 - Session Fixation

Section titled “Rule group: 943 - Session Fixation”

Prevents attackers from hijacking user sessions by forcing a known Session ID.

CodeRule
943100Possible Session Fixation Attack: Setting Cookie Values in HTML
943110Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120Possible Session Fixation Attack: SessionID Parameter Name with No Referer

Rule group: 944 - Java Injection

Section titled “Rule group: 944 - Java Injection”

Targets Java-specific vulnerabilities, including serialization attacks and Log4shell.

CodeRule
944100Remote Command Execution: Suspicious Java class detected
944110Remote Command Execution: Java process spawn (CVE-2017-9805)
944120Remote Command Execution: Java serialization (CVE-2015-4852)
944130Suspicious Java class detected
944140Java Injection Attack: Java Script File Upload Found
944150Potential Remote Command Execution: Log4j / Log4shell
944151Potential Remote Command Execution: Log4j / Log4shell
944200Magic bytes Detected, probable java serialization in use
944210Magic bytes Detected Base64 Encoded, probable java serialization in use
944240Remote Command Execution: Java serialization (CVE-2015-4852)
944250Remote Command Execution: Suspicious Java method detected
944260Remote Command Execution: Malicious class-loading payload
944300Base64 encoded string matched suspicious keyword
944152Potential Remote Command Execution: Log4j / Log4shell

OWASP CRS response rules

Section titled “OWASP CRS response rules”

These rules inspect outgoing traffic from your origin to prevent sensitive information from being leaked to users or attackers.

Rule group: 950 - General Data Leakage

Section titled “Rule group: 950 - General Data Leakage”

Blocks responses containing directory listings, source code, or application error messages.

CodeRule
950130Directory Listing
950140CGI source code leakage
950100The Application Returned a 500-Level Status Code

Rule group: 951 - Database Information Leakage

Section titled “Rule group: 951 - Database Information Leakage”

Prevents database-specific error messages from revealing your backend architecture.

CodeRule
951110Microsoft Access SQL Information Leakage
951120Oracle SQL Information Leakage
951130DB2 SQL Information Leakage
951140EMC SQL Information Leakage
951150firebird SQL Information Leakage
951160Frontbase SQL Information Leakage
951170hsqldb SQL Information Leakage
951180informix SQL Information Leakage
951190ingres SQL Information Leakage
951200interbase SQL Information Leakage
951210maxDB SQL Information Leakage
951220mssql SQL Information Leakage
951230mysql SQL Information Leakage
951240postgres SQL Information Leakage
951250sqlite SQL Information Leakage
951260Sybase SQL Information Leakage

Rule group: 952 - Java Information Leakage

Section titled “Rule group: 952 - Java Information Leakage”

Blocks exposure of Java source code or stack traces.

CodeRule
952100Java Source Code Leakage
952110Java Errors

Rule group: 953 - PHP Information Leakage

Section titled “Rule group: 953 - PHP Information Leakage”

Prevents disclosure of PHP source code or internal information.

CodeRule
953100PHP Information Leakage
953110PHP source code leakage
953120PHP source code leakage
953101PHP Information Leakage

Rule group: 954 - IIS Information Leakage

Section titled “Rule group: 954 - IIS Information Leakage”

Targets information disclosure specific to Microsoft Internet Information Services (IIS).

CodeRule
954100Disclosure of IIS install location
954110Application Availability Error
954120IIS Information Leakage
954130IIS Information Leakage

Rule group: 955 - Web Shells

Section titled “Rule group: 955 - Web Shells”

Detects patterns associated with common web shells (backdoors) that provide remote administration.

CodeRule
955100Web shell detected
955110r57 web shell
955120WSO web shell
955130b4tm4n web shell
955140Mini Shell web shell
955150Ashiyane web shell
955160Symlink_Sa web shell
955170CasuS web shell
955180GRP WebShell
955190NGHshell web shell
955200SimAttacker web shell
955210Unknown web shell
955220lama’s’hell web shell
955230lostDC web shell
955240Unknown web shell
955250Unknown web shell
955260Ru24PostWebShell web shell
955270s72 Shell web shell
955280PhpSpy web shell
955290g00nshell web shell
955300PuNkHoLic shell web shell
955310azrail web shell
955320SmEvK_PaThAn Shell web shell
955330Shell I web shell
955340b374k m1n1 web shell
955350webadmin.php file manager