[ { "enabled": 1, "version_min": 300000, "version_max": 0, "title": "double macros bug 1/n", "client": { "ip": "200.249.12.31", "port": 2313 }, "server": { "ip": "200.249.12.31", "port": 80 }, "request": { "headers": { "Host": "net.tutsplus.com", "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)", "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8", "Accept-Language": "en-us,en;q=0.5", "Accept-Encoding": "gzip,deflate", "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", "Keep-Alive": "300", "Connection": "keep-alive", "Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120", "Pragma": "no-cache", "Cache-Control": "no-cache" }, "uri": "\/test.pl?param1= test ¶m2=test2&pparam=дор", "method": "GET", "http_version": 1.1, "body": "" }, "response": { "headers": { "Content-Type": "text\/xml; charset=utf-8\n\r", "Content-Length": "length\n\r" }, "body": [ "\n\r", "\n\r", " \n\r", " \n\r", " string<\/EnlightenResult>\n\r", " <\/EnlightenResponse>\n\r", " <\/soap:Body>\n\r", "<\/soap:Envelope>\n\r" ] }, "expected": { "debug_log": "TX:msg with value: test tes", "http_code": 200 }, "rules": [ "SecRuleEngine On", "SecRule ARGS \"@contains test2\" \"phase:1,id:999,setvar:tx.msg=%{ARGS:param1}%{ARGS:param1}\"" ] }, { "enabled": 1, "version_min": 300000, "version_max": 0, "title": "double macros bug 2/n", "client": { "ip": "200.249.12.31", "port": 2313 }, "server": { "ip": "200.249.12.31", "port": 80 }, "request": { "headers": { "Host": "net.tutsplus.com", "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)", "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8", "Accept-Language": "en-us,en;q=0.5", "Accept-Encoding": "gzip,deflate", "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", "Keep-Alive": "300", "Connection": "keep-alive", "Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120", "Pragma": "no-cache", "Cache-Control": "no-cache" }, "uri": "\/test.pl?param1= test ¶m2=test2&pparam=дор", "method": "GET", "http_version": 1.1, "body": "" }, "response": { "headers": { "Content-Type": "text\/xml; charset=utf-8\n\r", "Content-Length": "length\n\r" }, "body": [ "\n\r", "\n\r", " \n\r", " \n\r", " string<\/EnlightenResult>\n\r", " <\/EnlightenResponse>\n\r", " <\/soap:Body>\n\r", "<\/soap:Envelope>\n\r" ] }, "expected": { "debug_log": "", "http_code": 200 }, "rules": [ "SecRuleEngine On", "SecRule ARGS|XML|XML \"test\" \"id:123,phase:2,block,msg:'Possible harmful executable file detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VARS}',t:none,tag:'application-multi',tag:'platform-multi',tag:'attack-file-upload',tag:'OWASP_CRS/WEB_ATTACK/MALICIOUS_FILE',tag:'paranoia-level/1',ver:'OWASP_CRS/3.1.0',severity:'NOTICE',setvar:'tx.msg=%{rule.msg}',setvar:'tx.anomaly_score=+%{tx.notice_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/MALICIOUS-FILE-%{matched_var_name}=%{tx.0}'\"" ] } ]