{"filters":{"filter":[{"rule":"(?:\"+.*>)|(?:\\s?\\\/>)|(?:>\")","description":"finds html breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"rule":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)","description":"finds attribute breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"rule":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)","description":"finds unquoted attribute breaking injections","tags":{"tag":["xss","csrf"]},"impact":"2"},{"rule":"(?:(\\W|^)[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+[([\\\/\"])","description":"finds attribute breaking injections including obfuscated attributes","tags":{"tag":["xss","csrf"]},"impact":"4"},{"rule":"(?:;\\W*URL\\s*=)|(?:[^\\w\\s\\\/]\\s*(?:location|referrer|name)\\s*[^\\w\\s-])|(?:{[^:]+:[^}]+})","description":"Detects url-, name-, JSON, and referrer-contained payload attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|\\s)setter\\s*=)","description":"Detects hash-contained xss payload attacks, setter usage and property overloading","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)","description":"Detects self contained xss via with(), common loops and regex to string conversion","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)|(?:\\?[^:]+:[^;]+;)|(?:>\\s*[,;.])","description":"Detects JavaScript with(), ternary operators and XML predicate attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:(?<!(?:Mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)","description":"Detects self-executing JavaScript functions","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})|(?:\\W?=\\W?\\s*0x\\w+)","description":"Detects the IE octal, hex and unicode entities","tags":{"tag":["xss","csrf"]},"impact":"2"},{"rule":"(?:(?:\\\/|\\\\)?\\.\\.(\\\/|\\\\)(?:\\.\\.)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})","description":"Detects basic directory traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"rule":"(?:(?:\\\/|\\\\)+(bin|home|conf|usr|etc|proc|opt|sbin|local|dev|tmp|kern|boot|root|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)+inetpub|localstart\\.asp|boot\\.ini)","description":"Detects specific directory and path traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"rule":"(?:etc\\\/\\W*passwd)","description":"Detects etc\/passwd inclusion attempts","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)","description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts","tags":{"tag":["xss","csrf"]},"impact":"3"},{"rule":"(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))","description":"Detects possible includes and packed functions","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"rule":"([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@-])(\\s*return\\s*)?(?:create(?:Element|Attribute|TextNode)|\\w+Events?|getElement\\w+|appendChild|createRange|createContextualFragment|removeNode|parentNode|decodeURIComponent|\\wetTimeout|userAgent)(?(1)[^\\w\"]|(?:\\s*[^\\s\\w\",.+-]))","description":"Detects JavaScript DOM\/miscellaneous properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"6"},{"rule":"([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@-])(\\s*return\\s*)?(?:alert|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|toString|Execute|window|unescape|navigate)(?(1)[^\\w\"]|(?:\\s*[^\\s\\w\",.+-]))","description":"Detects possible includes and typical script methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"rule":"([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@-])(\\s*return\\s*)?(?:hash|name|href|source|pathname|close|port|protocol|search|replace|back|forward|go|document|window|self|this|parent|frames|_?content|date|cookie|innerhtml|innertext|outerhtml)(?(1)[^\\w\"]|(?:\\s*[^\\s\\w\",.+-]))","description":"Detects JavaScript object properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"rule":"([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@-])(\\s*return\\s*)?(?:join|pop|push|reverse|shift|slice|splice|sort|unshift)(?(1)[^\\w\"]|(?:\\s*[^\\s\\w\",.+-]))","description":"Detects JavaScript array properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"rule":"([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@-])(\\s*return\\s*)?(?:atob|btoa|charat|charcodeat|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|replace|regexp|search|slice|split|status|substr|substring|escape)(?(1)[^\\w\"]|(?:\\s*[^\\s\\w\",.+-]))","description":"Detects JavaScript string properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"rule":"([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@-])(\\s*return\\s*)?(?:globalStorage|sessionStorage|callee|constructor|content|prototype|try|catch|top|call|apply|with|function|object|array|string|math|regex|boolean|location|settimeout|setinterval|void)(?(1)[^\\w\"]|(?:\\s*[^\\s\\w\",.+-]))","description":"Detects JavaScript language constructs","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"rule":"(?:,\\s*(?:alert|eval)\\s*,)|(?:=.*:\\s*\\w+\\s)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.-\\\/?+]\\s*)?(?<![a-z]\\s|[a-z\\\/_@])(\\s*return\\s*)?(?:(?:document\\s*\\.)?(?:.+\\\/)?(?:alert|eval|msgbox|prompt|write(?:ln)?|confirm|dialog|open))(?(1)[^\\w]|(?:\\s*[^\\s\\w,.+-]))|(?:java[\\s\\\/]*\\.[\\s\\\/]*lang)|(?:\\w\\s*=\\s*new\\s+\\w+)","description":"Detects very basic XSS probings","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"3"},{"rule":"(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))","description":"Detects JavaScript location\/document property access","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:\\\/[\\w\\s]+\\\/\\.)|(?:,.+=.+(\\?|,).*\\))|(?:=\\s*\\\/\\w+\\\/\\s*\\.)|(?:\\[\\s*\\\/\\w+)","description":"Detects basic obfuscated JavaScript script injections","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:\\w+\\[(\"\\w+\"|\\w+\\|\\|))|(?:[\\d\\W]\\|\\|[\\d\\W]|\\W=\\w+,)|(?:\\\/\\s*\\+\\s*[a-z\"])|(?:=\\s*\\$[^([]*\\()","description":"Detects obfuscated JavaScript script injections","tags":{"tag":["xss","csrf"]},"impact":"5"},{"rule":"(?:[^:\\s\\w]+\\s*[^\\w\\\/](href|protocol|host\\w*|pathname|search|hash|port|cookie)[^\\w])","description":"Detects JavaScript cookie stealing and redirection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"},{"rule":"(?:data:(?:.)*,)|(?:\\w+\\s*=\\W*(?!https?)\\w+:)|(jar:\\w+:)","description":"Detects data: URL injections and common URI schemes","tags":{"tag":["xss","rfe"]},"impact":"5"},{"rule":"(?:firefoxurl:\\w+\\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\\s*:\\s*[%&#xu\\\/]+)|(wyciwyg|firefoxurl\\s*:\\s*\\\/\\s*\\\/)","description":"Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion\/execution","tags":{"tag":["xss","rfe","lfi","xsrf"]},"impact":"5"},{"rule":"(?:binding\\s?=|moz-binding|behavior\\s?=)|(?:[\\s\\\/]style\\s*=\\s*[-\\\\])","description":"Detects bindings and behavior injections","tags":{"tag":["xss","csrf","rfe"]},"impact":"4"},{"rule":"(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:;[^q\\s]+=)|(?:\\s*==\\s*\\w)|(?:[\\d\\W][\"\\s]*:\\s*\")|(?:\"\\s*\\+\\s*\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\"\\s*[&|]+\\s*\")|(?:\\\/\\s*\\?\\s*\")|(?:\\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\\/)","description":"Detects common XSS concatenation patterns 1\/2","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"rule":"(?:=\\s*\\d*\\.\\d*\\?\\d*\\.\\d*)|(?:[|&]{2,}\\s*\")|(?:!\\d+\\.\\d*\\?\")|(?:\\\/:[\\w.]+,)|(?:=.+[\\d\\W]*\\s*\\[[^]]+\\])|(?:\\?\\w+:\\w+)|(?:\\W\\+\\s*\\w+\\s*[)}\\]])|(?::\\s*\\d\\s*;)|(?:\\w+\\s*(!=|==)=?\\s*\\w+)|(?:!\\s*0\\s*\\?)|(?:[\\W\\d]\\.\\w+\\s*,)","description":"Detects common XSS concatenation patterns 2\/2","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"rule":"(?:[^\\w\\s=]on(?!g\\&gt;)\\w+[^=_+-]*=[^$]+(?:\\W|\\&gt;)?)","description":"Detects possible event handlers","tags":{"tag":["xss","csrf"]},"impact":"4"},{"rule":"(?:\\<\\w*:?s(?:[^\\>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)","description":"Detects obfuscated script tags and XML wrapped HTML","tags":{"tag":"xss"},"impact":"4"},{"rule":"(?:\\<\\\/\\w+\\s\\w+)","description":"Detects attributes in closing tags (IE-only issue)","tags":{"tag":["xss","csrf"]},"impact":"3"},{"rule":"(?:\\<!-|-->)|(?:\\\/\\*|\\*\\\/)|(?:(?:#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[)|(?:\\]!>)","description":"Detects common comment types","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"rule":"(?:--.*>)|(?:opera\\s*\\.\\s*\\w+\\s*\\()","description":"Detects comments to exploit firefox' faulty rendering and proprietary opera attacks","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"rule":"(?:\\<base\\s+)|(?:<!(?:ELEMENT|ENTITY|\\[CDATA))","description":"Detects base href injections and XML entity injections","tags":{"tag":["xss","csrf","id"]},"impact":"5"},{"rule":"(?:\\<[\\\/]?(?:[i]?frame|script|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xmp|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"4"},{"rule":"(?:\\\\x[01FE]\\w)|(?:%[01FE]\\w)|(?:&#[01FE]\\w)|(?:\\\\[01FE][0-9a-f])|(?:&#x[01FE]\\w)|(?:0x[01FE])\\w","description":"Detects nullbytes and HTTP response splitting","tags":{"tag":["id","rfe","xss"]},"impact":"5"},{"rule":"(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)\\s*\\w+\\()","description":"Detects MySQL comments, conditions and ch(a)r injections","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"rule":"(?:HAVING\\s+[\\d\\w]\\s?=)|(?:IF\\s?\\([\\d\\w]\\s?=)","description":"Detects conditional SQL injection attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"4"},{"rule":"(?:\\\\x(?:23|27|3D))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)\\s*[\\d\"[+&!-@])","description":"Detects classic SQL injection probings 1\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"rule":"(?:\"\\s*\\*.+(?:OR|ID)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s-\"]+(?<=AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[\\w-]+[\\s=*])","description":"Detects classic SQL injection probings 2\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"rule":"(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*OR[\\w\\s-]+\\s*[+-<>=]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*LIKE[+-=\\s]+[\\d\"(])|(?:\\sis\\s*0\\W)","description":"Detects basic SQL authentication bypass attempts 1\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"rule":"(?:UNION\\s*(?:ALL)?\\s*[([]\\s*SELECT)|(?:LIKE\\s*\"\\%)|(?:\"\\s*LIKE\\W*[\"\\d])|(?:\"\\s*(?:AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*HAVING)|(?:(?:AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)\\s[\\w-]+\\s*[=&^].*[\"\\d])|(?:\"\\s*\\*\\s*\\w+\\W+\")","description":"Detects basic SQL authentication bypass attempts 2\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"rule":"(?:(?:AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:REGEXP\\s*\\(|SOUNDS\\s+LIKE\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|OR))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s]+\")|(?:\"\\s*is\\s*\\w\\s*\\W.*\")","description":"Detects basic SQL authentication bypass attempts 3\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"rule":"(?:^\\s*[;>\"]\\s*(?:UNION|SELECT|CREATE|RENAME|TRUNCATE|LOAD|ALTER|DELETE|UPDATE|INSERT|DESC))|(?:(?:SELECT|CREATE|RENAME|TRUNCATE|LOAD|ALTER|DELETE|UPDATE|INSERT|DESC)\\s+(?:CONCAT|CHAR|CONCAT|LOAD_FILE|0x)\\s?\\(?)|(?:END\\s*\\);)|(\"\\s+REGEXP\\W)","description":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"5"},{"rule":"(?:(?:;|#|--)\\s*(?:DROP|ALTER))|(?:(?:;|#|--)\\s*(?:UPDATE|INSERT)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:AND|OR|XOR|NAND|NOT|\\|\\||\\&\\&)[\\s\\w]+[!=+]+[\\s\\d]*[\"=(])","description":"Detects chained SQL injection attempts 1\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"rule":"(?:\\*\\\/FROM)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:COALESCE\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)","description":"Detects chained SQL injection attempts 2\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"rule":"(?:(SELECT|;)\\s+(?:BENCHMARK|IF|SLEEP)\\s?\\(\\s?\\(?\\s?\\w+)","description":"Detects SQL benchmark and sleep injection attempts including conditional queries","tags":{"tag":["sqli","id"]},"impact":"4"},{"rule":"(?:CREATE\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:SELECT|CREATE|RENAME|TRUNCATE|LOAD|ALTER|DELETE|UPDATE|INSERT|DESC)\\s*\\w{2,})","description":"Detects MySQL UDF injection and other data\/structure manipulation attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"rule":"(?:ALTER\\s*\\w+.*CHARACTER\\s+SET\\s+\\w+)|(\";\\s*WAITFOR\\s+TIME\\s+\")|(?:\";.*:\\s*GOTO)","description":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"rule":"(?:CREATE\\s+(PROCEDURE|FUNCTION)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)","description":"Detects MySQL stored procedure\/function injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"rule":"(?:SELECT\\s*pg_sleep)|(?:WAITFOR\\s*DELAY\\s?\"+\\s?\\d)|(?:;\\s*SHUTDOWN\\s*(?:--|#|\\\/\\*|{))","description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"rule":"(?:\\WIIF\\s*\\()|(?:EXEC\\s+master\\.)|(?:UNION SELECT @)|(?:UNION\\s*\\w*\\s*SELECT)|(?:SELECT.*\\w?user\\()|(?:INTO[\\s+]+(?:DUMP|OUT)FILE\\s*\")","description":"Detects MSSQL code execution and information gathering attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"rule":"(?:MERGE.*USING\\s*\\()|(EXECUTE\\s*IMMEDIATE\\s*\")|(?:\\W+\\d\\s+HAVING\\s+\\d)|(?:MATCH\\s*[\\w(),+-]+\\s*AGAINST\\s*\\()","description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"rule":"(?:SELECT\\s*\\*\\s*FROM)|((?:SELECT|CREATE|RENAME|TRUNCATE|LOAD|ALTER|DELETE|UPDATE|INSERT|DESC)\\s*\\(\\s*SPACE\\s*\\()","description":"Detects MySQL comment-\/space-obfuscated injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()","description":"Detects code injection attempts 1\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"rule":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])","description":"Detects code injection attempts 2\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"rule":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|fopen|popen))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)","description":"Detects code injection attempts 3\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"rule":"(?:\\w+]?(?<!HREF|SRC|LONGDESC|ReturnURL)=(?:http|ftp|https):)","description":"Detects url injections and RFE attempts","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|.*in\\s+|instanceof|new|typeof)\\s*\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)","description":"Detects common function declarations and special JS operators","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01]\\w)+\\w+:)","description":"Detects common mail header injections","tags":{"tag":["id","spam"]},"impact":"5"},{"rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)","description":"Detects perl echo shellcode injection and LDAP vectors","tags":{"tag":["fli","rfe"]},"impact":"5"},{"rule":"(?:groups=\\d+\\(\\w+\\))|(?:\\w{256,}|\\W{256,}|\\s{256,}|\\\/.+\\shttp\\\/\\d.\\d\\s?\\\\+\\w\\\\+\\w|(?::..){4,}|\\W\\d+\\\/\\d{20,})","description":"Detects basic DoS attempts and Apache scoreboard shared memory attacks","tags":{"tag":["rfe","dos"]},"impact":"5"},{"rule":"(?:info:\\\/)|(?:\\w+\\[\"@\\w+)|(?:(?:view-source|about):\\w+)","description":"Detects konqueror UXSS attacks, Gecko 1.9 threading directives and view-source attacks","tags":{"tag":["rfe","dos"]},"impact":"5"},{"rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])","description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"7"}]}}