# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.2 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default XenForo install. # The exclusions are only active if crs_exclusions_xenforo=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ "id:9006000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ skipAfter:END-XENFORO" SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ "id:9006001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ skipAfter:END-XENFORO" # # -=[ XenForo Front-End ]=- # # Proxy for images and remote content embedded in forum posts # GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo # GET /xf/proxy.php?link=https://example.com&hash=foo # POST /xf/proxy.php, body: referrer=... SecRule REQUEST_FILENAME "@endsWith /proxy.php" \ "id:9006100,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\ ctl:ruleRemoveTargetById=931130;ARGS:referrer,\ ctl:ruleRemoveTargetById=942230;ARGS:referrer,\ ver:'OWASP_CRS/3.3.2'" # Store drafts for private message, forum post, thread reply # POST /xf/conversations/draft # POST /xf/conversations/convo-title.12345/draft # POST /xf/forums/forum-title.12345/draft # POST /xf/threads/thread-title-%E2%98%85.12345/draft # # attachment_hash_combined example: # {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."} SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*)/draft$" \ "id:9006110,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:href,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ ver:'OWASP_CRS/3.3.2'" # Send PM, edit post, create thread, reply to thread # POST /xf/conversations/add # POST /xf/conversations/add-preview # POST /xf/conversations/messages/1463947/edit # POST /xf/posts/12345/edit # POST /xf/posts/12345/preview # POST /xf/conversations/convo-title.12345/add-reply # POST /xf/threads/thread-title.12345/add-reply # POST /xf/threads/thread-title.12345/reply-preview # POST /xf/forums/forum-title.12345/post-thread # POST /xf/forums/blogs/post-thread # POST /xf/forums/forum-title.12345/thread-preview SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*/(?:post-thread|thread-preview))$" \ "id:9006120,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ ver:'OWASP_CRS/3.3.2'" # Quote # POST /xf/posts/12345/quote SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \ "id:9006130,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\ ver:'OWASP_CRS/3.3.2'" # Multi quote # POST /xf/conversations/convo-title.12345/multi-quote # POST /xf/threads/thread-title.12345/multi-quote # quotes={"12345":["quote-html"]} SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \ "id:9006140,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\ ver:'OWASP_CRS/3.3.2'" # Delete thread # POST /xf/threads/thread-title.12345/delete SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \ "id:9006150,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\ ver:'OWASP_CRS/3.3.2'" # Feature thread # POST /xf/threads/thread-title.12345/feature-edit SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/feature-edit$" \ "id:9006155,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feature[feature_excerpt]" # Inline moderate thread # POST /xf/inline-mod/ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \ "id:9006160,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ver:'OWASP_CRS/3.3.2'" # Warn member # POST /xf/members/name.12345/warn # POST /xf/posts/12345/warn SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \ "id:9006170,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\ ver:'OWASP_CRS/3.3.2'" # Editor SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \ "id:9006200,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\ ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ ver:'OWASP_CRS/3.3.2'" # Editor SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \ "id:9006210,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\ ver:'OWASP_CRS/3.3.2'" # Post attachment # POST /xf/account/avatar # POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \ "id:9006220,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=200003,\ ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\ ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\ ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\ ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\ ver:'OWASP_CRS/3.3.2'" # Media # POST /xf/index.php?editor/media SecRule REQUEST_URI "@endsWith /index.php?editor/media" \ "id:9006230,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetById=942130;ARGS:url,\ ver:'OWASP_CRS/3.3.2'" # Emoji # GET /xf/index.php?misc/find-emoji&q=(%0A%0A SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \ "id:9006240,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=921151;ARGS:q,\ ver:'OWASP_CRS/3.3.2'" # Login # POST /xf/login/login SecRule REQUEST_FILENAME "@endsWith /login/login" \ "id:9006300,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ver:'OWASP_CRS/3.3.2'" # Register account # POST /xf/register/register # The password is passed in a variable-name form parameter. We don't # want to exclude all parameters completely as this would cause an # unacceptable bypass. So, we exclude only commonly hit rules. SecRule REQUEST_FILENAME "@endsWith /register/register" \ "id:9006310,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\ ver:'OWASP_CRS/3.3.2'" # Confirm account # GET /xf/account-confirmation/name.12345/email?c=foo SecRule REQUEST_FILENAME "@rx /account-confirmation/.*\.\d+/email$" \ "id:9006315,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c" # Edit account # POST /xf/account/account-details SecRule REQUEST_FILENAME "@endsWith /account/account-details" \ "id:9006320,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\ ver:'OWASP_CRS/3.3.2'" # Lost password # POST /xf/lost-password/user-name.12345/confirm?c=foo SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \ "id:9006330,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\ ver:'OWASP_CRS/3.3.2'" # Set forum signature # POST /xf/account/signature SecRule REQUEST_FILENAME "@endsWith /account/signature" \ "id:9006340,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\ ver:'OWASP_CRS/3.3.2'" # Search # POST /xf/search/search SecRule REQUEST_FILENAME "@endsWith /search/search" \ "id:9006400,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\ ctl:ruleRemoveTargetById=942200;ARGS:constraints,\ ctl:ruleRemoveTargetById=942260;ARGS:constraints,\ ctl:ruleRemoveTargetById=942340;ARGS:constraints,\ ctl:ruleRemoveTargetById=942370;ARGS:constraints,\ ver:'OWASP_CRS/3.3.2'" # Search within thread # GET /xf/threads/foo.12345/page12?highlight=foo SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \ "id:9006410,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\ ver:'OWASP_CRS/3.3.2'" # Search within search result # GET /xf/search/12345/?q=foo SecRule REQUEST_FILENAME "@rx /search/\d+/$" \ "id:9006420,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\ ver:'OWASP_CRS/3.3.2'" # Contact form # POST /xf/misc/contact SecRule REQUEST_FILENAME "@endsWith /misc/contact" \ "id:9006500,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\ ver:'OWASP_CRS/3.3.2'" # Report post # POST /xf/posts/12345/report SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \ "id:9006510,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ver:'OWASP_CRS/3.3.2'" # Alternate thread view route # /xf/index.php?threads/title-having-some-sql.12345/ # # Especially threads with the HAVING sql keyword are FP prone. # This rule has some chains to narrow down the exclusion, # making it harder for an attacker to abuse the ARGS_NAMES # exclusion on other endpoints. SecRule REQUEST_FILENAME "@endsWith /index.php" \ "id:9006600,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ chain" SecRule REQUEST_METHOD "@streq GET" \ "t:none,\ chain" SecRule &ARGS "@eq 1" \ "t:none,\ chain" SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \ "t:none,\ ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\ ctl:ruleRemoveTargetById=942230;ARGS_NAMES" # Browser fingerprint (DBTech security extension) # May Contain various javascript/XSS false positives SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \ "id:9006700,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\ ver:'OWASP_CRS/3.3.2'" # Get location info SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \ "id:9006710,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\ ver:'OWASP_CRS/3.3.2'" # # -=[ XenForo Global Exclusions ]=- # # _xfRedirect, _xfRequestUri can appear on various endpoints. # Cookies can appear on all endpoints. SecAction \ "id:9006800,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=942230;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=942260;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\ ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\ ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_emoji_usage,\ ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\ ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\ ver:'OWASP_CRS/3.3.2'" # # -=[ XenForo Administration Back-End ]=- # # Skip this section for performance unless requested file is admin.php SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ "id:9006900,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ skipAfter:END-XENFORO-ADMIN" SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ "id:9006901,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ skipAfter:END-XENFORO-ADMIN" # Admin edit user # POST /xf/admin.php?users/the-user-name.12345/edit SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \ "id:9006910,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ ver:'OWASP_CRS/3.3.2'" # Admin save user # POST /xf/admin.php?users/the-user-name.12345/save # Runs in phase 1 to be able to remove rule 200003. SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \ "id:9006920,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=200003,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\ ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ ver:'OWASP_CRS/3.3.2'" # Admin edit forum notice # POST /xf/admin.php?notices/0/save # POST /xf/admin.php?notices/forum-name.12345/save SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \ "id:9006930,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ ver:'OWASP_CRS/3.3.2'" # Admin batch thread update # POST /xf/admin.php?threads/batch-update/action SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \ "id:9006940,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942200;ARGS:criteria,\ ctl:ruleRemoveTargetById=942260;ARGS:criteria,\ ctl:ruleRemoveTargetById=942330;ARGS:criteria,\ ctl:ruleRemoveTargetById=942340;ARGS:criteria,\ ctl:ruleRemoveTargetById=942370;ARGS:criteria,\ ver:'OWASP_CRS/3.3.2'" # Edit forum theme # POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic SecRule REQUEST_URI "@rx /admin\.php\?styles/" \ "id:9006950,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942200;ARGS:json,\ ctl:ruleRemoveTargetById=942260;ARGS:json,\ ctl:ruleRemoveTargetById=942300;ARGS:json,\ ctl:ruleRemoveTargetById=942330;ARGS:json,\ ctl:ruleRemoveTargetById=942340;ARGS:json,\ ctl:ruleRemoveTargetById=942370;ARGS:json,\ ctl:ruleRemoveTargetById=942440;ARGS:json,\ ver:'OWASP_CRS/3.3.2'" # Set forum options # POST /xf/admin.php?options/update SecRule REQUEST_URI "@rx /admin\.php\?options/update" \ "id:9006960,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\ ver:'OWASP_CRS/3.3.2'" # Edit pages/templates # POST /xf/admin.php?pages/0/save # POST /xf/admin.php?pages/foo.12345/save # POST /xf/admin.php?templates/foo.1234/save SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \ "id:9006970,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\ ver:'OWASP_CRS/3.3.2'" SecMarker "END-XENFORO-ADMIN" SecMarker "END-XENFORO"