Signature analysis

Community Edition of the Nemesida WAF provides basic protection of web applications against hacker attacks based on signature analysis only (scanning, unqualified attempts to search/exploit vulnerabilities). In the same time the signature analysis is not able to detect modified, complex or new types of attacks, for example:
un","ion se","lect
union/*aaaaa*/select
un%e2%80%8bion se%e2%80%8blect
al\u0065rt(1)
j%26Tab;avascript:a%26Tab;lert()
/???/??t /???/p??s??
cat /e't'c/pa'ss'wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bash
ec'h'o 'cat /etc/examplewd' | sed 's/example/pass/g' | bash
For high-quality protection of web applications (websites, online marketplace, API etc.) including against zero-day attacks use a full-featured version of Nemesida WAF with machine learning module.

Check your WAF before an attacker does with WAF Bypass Tool - an open source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads. WAF Bypass Tool is developed by Nemesida WAF team with the participation of community.

The rules.bin

Rule ID Type Signature Tag Score Match zone
1RLnwaftestOther12BODY|URL|ARGS|HEADERS
30RL{{Injection2BODY
31RLx(\d+\s*,\s*){4,}SQLi4BODY|URL|ARGS|HEADERS
32RLx\W&&\WSQLi2BODY|URL|ARGS|HEADERS
33RLx\W@@\wSQLi2BODY|URL|ARGS|HEADERS
34RLx\W\|\|\WSQLi2BODY|URL|ARGS
35RLx\{\{.+\}\}Injection8ARGS
36RL$(Injection2BODY|URL|ARGS|HEADERS
37RL${Injection2BODY|URL|ARGS|HEADERS
39RL/*SQLi1BODY|URL|ARGS|Cookie|User-agent
40RL*/SQLi1BODY|URL|ARGS|Cookie|User-agent
51RL;SQLi2URL|ARGS
52RL'SQLi2URL|ARGS|User-Agent
53RL?Evasion2URL|ARGS|User-agent
54RL['#RCE8URL
55RL\'%SQLi2BODY|URL|ARGS
56RL%\'SQLi2BODY|URL|ARGS
57RLx(\.)+(\\|\/)+(\.)+(\\|\/)+LFI8BODY|URL|ARGS|HEADERS
58RL=\"SQLi2BODY|URL|ARGS
59RL=\'SQLi2BODY|URL|ARGS
60RL*\'SQLi4BODY|URL|ARGS
61RL!=SQLi6URL|ARGS
66RL\\Evasion2BODY|URL|ARGS
67RL../Injection8BODY|URL|ARGS|HEADERS
68RL--SQLi2BODY|URL|ARGS|User-agent
69RL#SQLi1BODY|URL|ARGS|Cookie|User-agent
71RL..\..\LFI8BODY|URL|ARGS|HEADERS
74RLx\\x[0-9a-z]{2,2}Evasion0BODY|URL|ARGS|HEADERS|MLA
76RLx(\\|%)u[0-9a-f]{4,4}Evasion0BODY|URL|ARGS|HEADERS|MLA
77RL././LFI8BODY|URL|ARGS|HEADERS
98RLx[&=<]\.0XSS6BODY|URL|ARGS
99RLx[\^<>]0\.XSS6BODY|URL|ARGS
100WLxsitemap[\w\-\.]+\.gz$WL0URL
101WLx(\d+\s*,\s*){4,}WL0Cookie|Referer
104WLxutm_referrer=https?://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}WL0ARGS
105WLx\-+\wWL0Content-Type
106WLxn--p1aiWL0BODY|URL|ARGS|HEADERS
109WL?from=WL0ARGS
110WL<?xmlWL0BODY
111WLx\{\{[a-z0-9.]+\}\}WL0ARGS
500RL/.sourceXSS12BODY|URL|ARGS|HEADERS
502RLx(\s|\.)src(\s|\+)*=XSS2BODY|URL|ARGS|HEADERS
504RLx(^|\W)eval\(|@eval\WXSS12BODY|URL|ARGS|HEADERS
505RLx<svg(\s|\+)XSS4BODY|URL|ARGS|HEADERS
508RLx(^|\W)alert\/?(\.(source|call|apply|bind|valueof))?[\(\`\&\]]XSS8BODY|URL|ARGS|HEADERS
509RLsymbol.replaceXSS8BODY|URL|ARGS|HEADERS
510RLxarray\.(map|from|prototype)XSS8BODY|URL|ARGS|HEADERS
511RLx(^|\W)document(\.[a-z]+)+\(XSS12BODY|URL|ARGS|HEADERS
512RL</noscriptXSS4BODY|URL|ARGS|HEADERS
513RL</xmpXSS4BODY|URL|ARGS|HEADERS
514RL</styleXSS4BODY|URL|ARGS|HEADERS
515RL</scriptXSS12BODY|URL|ARGS|HEADERS
516RLx<img(\s|\+)XSS2BODY|URL|ARGS|HEADERS
517RLx<base(\s|\+)XSS4BODY|URL|ARGS|HEADERS
518RLx<i?frame\WXSS6BODY|URL|ARGS|HEADERS
528RLxon(error|cut|begin|wheel|blur|change|input|reset|select|down|keypress|keyup|paste|copy|toggle)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
532RLxonmouse(down|enter|leave|move|out|over|up|wheel)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
534RL</titleXSS2BODY|URL|ARGS|HEADERS
535RLsvg>XSS4BODY|URL|ARGS|HEADERS
536RL<<XSS4URL|ARGS
537RLx<script(\s|\+|\/|\>)XSS12BODY|URL|ARGS|HEADERS
538RL>>XSS4URL|ARGS
540RLxon(aux|dbl)?click(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
542RLxontouchcancel(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
543RLx(^|\W)set(Timeout|Interval|Immediate)\(XSS12BODY|URL|ARGS|HEADERS
544RLx(^|\W)execscript\(XSS12BODY|URL|ARGS|HEADERS
545RLcrypto.generateCRMFRequestXSS12BODY|URL|ARGS|HEADERS
548RLRange.createContextualFragmentXSS12BODY|URL|ARGS|HEADERS
549RLxwindow[?]?\.(location|alert|name)XSS12BODY|URL|ARGS|HEADERS
550RLxdocument[.;](location|domain|cookie)XSS8BODY|URL|ARGS|HEADERS
551RLx(^|\W)location\.(assign|reload|replace|tostring)\(XSS12BODY|URL|ARGS|HEADERS
552RLx(^|\W)history(\.[a-z]+)+\(XSS12BODY|URL|ARGS|HEADERS
553RLx(^|\W)(local|session)Storage\(XSS12BODY|URL|ARGS|HEADERS
554RL<svg/onXSS12BODY|URL|ARGS|HEADERS
555RLx(^|\W)createElement\(XSS12BODY|URL|ARGS|HEADERS
1000RLx[^-:=\.\w\|]where[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1001RLx[^-:=\.\w\|]update[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1002RLx[^-:=\.\w\|]table[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1003RLxgroup[^-:=\.\w\|/]+bySQLi2BODY|URL|ARGS|HEADERS
1005RLxorder[^-:=\.\w\|]+bySQLi3BODY|URL|ARGS|HEADERS
1006RLx[^-:=\.\w\|]limit[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1007RLx[^-:=\.\w\|]select[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1008RLx[^-:=\.\w\|]insert[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1010RLx[^-:=\.\w\|]truncate[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1011RLx(^|\W)benchmark\(SQLi4BODY|URL|ARGS|HEADERS
1012RLx(^|\W)((var)?char|chr)\W*[(@]+[\d\s]SQLi12BODY|URL|ARGS|HEADERS
1016RLx[^-:=\.\w\|]if[^-:=\.\w\|]SQLi2BODY|URL|ARGS|HEADERS
1021RLxselect[^-:=\.\w\|]{1,50}(.|\s){0,50}fromSQLi8BODY|URL|ARGS|HEADERS
1023RLextractvalueSQLi4BODY|URL|ARGS|HEADERS
1024RLx(^|\W)concat\(SQLi12BODY|URL|ARGS|HEADERS
1025RLupdatexmlSQLi4BODY|URL|ARGS|HEADERS
1026RLx(^|\W)system\(RCE8BODY|URL|ARGS|HEADERS
1027RLx(^|\W)extractvalue\(SQLi6BODY|URL|ARGS|HEADERS
1028RLx(^|\W)elt\(SQLi6BODY|URL|ARGS|HEADERS
1031RLx(encode|decode)\W*[\(\)]SQLi12BODY|URL|ARGS|HEADERS
1032RLgroup_concatSQLi4BODY|URL|ARGS|HEADERS
1033RLx\Wrlike\(SQLi6BODY|URL|ARGS|HEADERS
1034RLx[^-:=\.\w\|]database[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1035RLsystem_userSQLi6BODY|URL|ARGS|HEADERS
1036RLversion()SQLi8BODY|URL|ARGS|HEADERS
1037RLx(^|\W)not\W+in\(SQLi6BODY|URL|ARGS|HEADERS
1038RLxjson(_\w+){1,2}\(SQLi6BODY|URL|ARGS|Cookie
1039RLx[^-:=\.\w\|]contains[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1040RLx[^-:=\.\w\|]sleep[^-:=\.\w\|]SQLi6BODY|URL|ARGS|HEADERS
1042RLtable_nameSQLi6BODY|URL|ARGS
1043RLx\`\`\s*\`\`SQLi2BODY|URL|ARGS
1044RLtable.nameSQLi6BODY|URL|ARGS
1045RLisnullSQLi2BODY|URL|ARGS|HEADERS
1046RLx_(en|de)crypt\(SQLi6BODY|URL|ARGS|HEADERS
1049RLcreate_digestSQLi6BODY|URL|ARGS|HEADERS
1050RLxlog\d+\W*(\(|\))SQLi8URL|ARGS
1053RLx/(bin|sbin)/Other4BODY|URL|ARGS|HEADERS
1055RLto_base64SQLi6BODY|URL|ARGS|HEADERS
1056RLx[^-:=\.\w\|]replace[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1057RLmaster_pos_waitSQLi8URL|ARGS
1059RLstr_replaceSQLi8BODY|ARGS
1060RLuser_metaSQLi8BODY|URL|ARGS
1061RLregexpSQLi2BODY|ARGS
1063RLx\d+[\'\`]SQLi8URL
1064RLwp_commentSQLi8BODY|URL|ARGS
1065RLwp_usermetaSQLi8BODY|URL|ARGS
1066RLwp_postSQLi8BODY|URL|ARGS
1067RLwp_termSQLi8BODY|URL|ARGS
1068RLwp_userSQLi8BODY|ARGS
1069RLwp_optionsSQLi8BODY|ARGS
1072RLx(^|\W)print(_r|ln)?\(SQLi12BODY|URL|ARGS|HEADERS
1075RLx\d\'\s*\w+=(\d+|\')SQLi12URL|ARGS
1077RLx=(\-\w+|\w+[\'\)\"])(.|\s){0,30}\s+where\s+(.|\s){0,30}\s+(OR|AND)SQLi12BODY|URL|ARGS|HEADERS
1078RLxctx=web\&cache_filename=.+\.php.+IMresizedData=\<\?phpSQLi12BODY
1081RLx\w+=\d+\'($|\s)SQLi12URL|ARGS
1085RLx\d+[\'\`]SQLi2BODY|ARGS|HEADERS
1086RLx(\b(m(s(ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(ys(\.database_name|aux)\b|chema(\W*\(|_name\b)|qlite(_temp)?_master\b)|d(atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))SQLi8BODY|URL|ARGS|HEADERS
1087RLxsleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.{0,50}?),(.{0,50}?)\)SQLi12BODY|URL|ARGS|HEADERS
1088RLx(((select|;)\s+(benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))SQLi12BODY|URL|ARGS|HEADERS
1090RLx((alter\s*?\w+.{0,50}?(character|char)\s+set\s+\w+)|([\"'`];*?\s*?waitfor\s+(time|delay)\s+[\"'`])|([\"'`];.{0,50}\s*?\Wgoto\W))SQLi8BODY|URL|ARGS|HEADERS
1091RLx(^|\W)union(.|\s){1,50}select(.|\s){1,50}from\WSQLi12BODY|URL|ARGS|HEADERS
1092RLx((select\s*?pg_sleep)|(waitfor\s*?delay\s?[\"'`]+\s?\d)|(;\s*?shutdown\s*?(;|--|#|/\*|{)))SQLi8BODY|URL|ARGS|HEADERS
1093RLx["\[]\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and|where)["\]]Injection12BODY|URL|ARGS|HEADERS
1094RLx((procedure\s+analyse\s*?\()|(;\s*?(declare|open)\s+[\w-]+)|(create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))SQLi8BODY|URL|ARGS|HEADERS
1096RLxxp_(servicecontrol|regread|regwrite|regdeletevalue|regdeletekey|fileexist|enumerrorlogs|readerrorlogs|enumdsn|enumgroups|ntsec_enumdomains)SQLi12BODY|URL|ARGS|HEADERS
1099RLx(^|&)src=[^&]*?(http|ftp)SQLi12URL
1100RLx[?&]home=[^&]*?(http|ftp)Other12URL
1102RLx[?&]size=[^&]*?\x3bSQLi12ARGS
1104RLaction=getTopicSQLi8BODY
1105RLx\[\#markup\]\=\S+\s+\S+RCE12BODY|URL|ARGS
1107RLfound_rowsSQLi8URL|ARGS
1108RLtcelesSQLi4URL|ARGS|Cookie
1109RLxinformation(_|\.)schemaSQLi12BODY|URL|ARGS|HEADERS
1110RLx(\s|\+)(infile|outfile|dumpfile)(\s|\+)SQLi8BODY|URL|ARGS|HEADERS
1111RLnoinuSQLi4URL|ARGS
1112RLsubstring%SQLi8BODY|URL|ARGS|HEADERS
1115RL@@versionSQLi8BODY|URL|ARGS|HEADERS
1116RLschemaSQLi6URL|ARGS
1117RLdatadirSQLi8BODY|URL|ARGS|HEADERS
1118RLhostnameSQLi4BODY|URL|ARGS|HEADERS
1119RLrowcountSQLi4BODY|URL|ARGS|HEADERS
1120RLx\s;\sSQLi8URL|ARGS
1121RLcoercibilitySQLi8URL|ARGS
1123RLCOLLATIONSQLi8URL|ARGS
1124RLCONNECTION_IDSQLi8URL|ARGS
1125RLcurrent_userSQLi4URL|ARGS
1126RLlast_insert_idSQLi8URL|ARGS
1127RLrow_countSQLi8URL|ARGS
1128RLsession_userSQLi8URL|ARGS
1129RL@userSQLi8URL|ARGS
1130RLx/%?\*(.|\s){0,50}\*%?/SQLi6URL|ARGS
1131RLx/%?\*(.|\s){0,50}\*%?/SQLi2BODY
1132RLx((/%?\*(.|\s){0,50}\*%?/)(.|\s){0,50}){3,}SQLi12BODY|URL|ARGS|HEADERS
1133RLxname\[\d+.{20,}\]SQLi12BODY
1134RLxadmin(istrator)?'--SQLi12BODY|URL|ARGS|HEADERS
1136RLx^(file|ftps?|https?)://(.{0,500})$SQLi8ARGS
1137RLx%0(.|\s){0,50}([a-z]%){3,}SQLi12BODY|URL|ARGS|HEADERS
1138RLx(%\w%.{0,50}){5,}SQLi8BODY|URL|ARGS|HEADERS
1139RLvalidate_password_strengthSQLi8URL|ARGS
1141RLlibraryContentSQLi8BODY
1142RLbase64_decodeSQLi8BODY
1143RLglobals[RCE8BODY|URL|ARGS
1144RLx(^|\W)response\.(write|flush|clear)\(Injection12BODY|URL|ARGS|HEADERS
1145RLx\w=\/?\.{1,2}(\\|\/)LFI8BODY|ARGS|Referer
1311RL<?RCE4BODY
1312RL?>RCE4BODY
1313RL<?phpRCE12BODY|URL|ARGS|HEADERS
1314RLx\$_\w{1,15}\[Other12BODY|URL|ARGS|HEADERS
1316RLget_defined_functionsRCE12BODY|URL|ARGS|HEADERS
1317RL_PHPLIB[libdir]Other8BODY|URL|ARGS|HEADERS
1318RLxauto_prepend_file|auto_append_fileRFI12URL|ARGS
1322RLburpcollaborator.netScanner12BODY|URL|ARGS|HEADERS
1324RLconstructor.constructorOther8BODY
1352RLXAttacker.phpOther12BODY|URL|ARGS
1397RLxinclude.?dir\x3DOther12URL
1398RLxpath=(https?|ftps?|php)Other12URL
1399RLxphp\?goto=(https?|ftps?|php)RFI12URL
1431RLx/(admin/addcontent\.inc|images/psg)\.phpOther12URL
1459RLsvg>XSS3BODY
1491RLx[^-:\.\w\|]exec[^-:\.\w\|\/]Injection8BODY|URL|ARGS|HEADERS
1493RLx(^|\W)die\(RCE12BODY|URL|ARGS|HEADERS
1497RLx(.{1,50}\(.{1,50}\)){3,}Other12URL
1500RLx\.(.{0,250})~($|\s)UWA12URL
1501RLxsrc=https?\x3a\x2f[^\x26\x20]*?(\x24\x28|%24%28)UWA12URL|ARGS
1502RL.vscodeOther12URL
1505RLx\.(gemfile|gemfile|rb|irbrc)($|\s|\:)UWA12URL
1506RLx\.(bzr|project|sublime(-workspace)?|md|svn|gitkeep|s3cfg|(git|hg|cvs)(ignore)?|subversion|csproj|(ftp)?config|cfg|atom|vb|vscode|circleci|npmrc)($|\s|\/|\:)UWA12URL
1512RLx\.php[^3-7\/s][\w\-\_~]*(\.\w+)?$UWA12URL
1513RLx\.(py|pl|cgi)($|\s|\:)UWA8URL
1515RL.ds_storeUWA12URL
1516RLx\.(jar|jsp|jspx|jspf|java|coffee|war|yml|cfm)($|\s|\:)UWA12URL
1517RLx\.(conf|ssh|ini|inc|env|inc|viminfo|properties|dead\.letter|passwd|schema)($|\s|\:)UWA8URL
1518RLx\.(phpinc|save|sav|swp|swo|lock|old|orig|log|tmp|temp|restore|suspected)($|\s|\:)UWA12URL
1519RLx\.(bz2|gz|tar|xz|lzma)($|\s|\:)UWA4URL
1521RLsftp-config.jsonUWA12URL
1522RL.idea/UWA12URL
1523RLx^/wp-content/plugins/($|\s)UWA12URL
1524RLx/wp-content/plugins/.{1,50}/cache/UWA12URL
1526RLx\.(mdb|db|sqlite|sql)($|\s|\:)UWA12URL
1528RLxid_(rsa|dsa)\.ppk($|\s|\:)UWA12URL
1559RLxetc/(passwd|shadow)UWA12BODY|URL|ARGS|HEADERS
1560RLx\W(win|system|php)\.iniUWA8BODY|URL|ARGS|HEADERS
1561RLx\.(ksh|rsh|tcsh|csh|zsh|zshrc|bash|bash_profile|rksh|sh_history)($|\s|\:)UWA12URL
1562RLx\.(bat|exe|dll|dat)($|\s|\:)UWA12URL
1808RLcomposer.jsonUWA8URL
1811RLx%psmodulepath%|%public%|%appdata%|%localappdata%UWA12URL|ARGS
1812RLx%allusersprofile%|%userdata%|%username%|%userprofile%UWA12URL|ARGS
1813RLx%homedrive%|%homepath%UWA12URL|ARGS
1814RLx%homedrive%|%homepath%UWA12URL|ARGS
1816RLx%systemdrive%|%systemroot%|%windir%|%comspec%UWA12URL|ARGS
1818RLx%path%|%pathext%UWA8URL|ARGS
1819RLx%computername%|%logonserver%|%prompt%|%userdomain%UWA8URL|ARGS
1820RLdb_details_importdocsql.phpUWA8URL
1821RLx/(global|dnewsweb|swsrv|ikonboard)\.cgiUWA8URL
1822RL/math_sum.mscgiUWA8URL|ARGS
1823RLx/(ksh|rsh|tcsh|csh|zsh|zshrc|bash|bash_profile|rksh)($|\s)UWA12URL|ARGS
1826RLx\/(math_sum.mscgi|htsearch|printenv|db2www|document.d2w)UWA12URL
1827RL/admentor/admin/admin.aspUWA8URL
1830RL/timthumb.phpUWA4URL
1831RL/timthumbdir/cacheUWA4URL
1832RL/w3tc/dbcacheUWA8URL
1834RLphp://UWA12BODY|URL|ARGS|HEADERS
1835RLftp://UWA12BODY|ARGS
1836RLzlib://UWA12BODY|URL|ARGS|HEADERS
1837RLdata://UWA12BODY|URL|ARGS|HEADERS
1838RLglob://UWA12BODY|URL|ARGS|HEADERS
1839RLphar://UWA12BODY|URL|ARGS|HEADERS
1840RLfile://UWA12BODY|ARGS
1841RL/cfide/componentutilsUWA12URL
1842RL/mysqldumperUWA12URL
1843RLxphp(pg|my)adminUWA12URL
1845RL/bin/shUWA12BODY|URL|ARGS|HEADERS
1846RL.htpasswdUWA12URL|ARGS
1847RL.htaccessUWA12URL|ARGS
1848RLwhitelist.pacUWA12URL
1849RLproxy.pacUWA12URL
1850RL(?p=b)((?p=b)(?j:(?p<b>c)(?p<b>a(?p=b)))>wgxcredits)UWA12BODY|ARGS|HEADERS
1851RL0000::1UWA12X-Forward-For
1852RL127.0.0UWA12X-Forward-For
1853RL(?j:(?|(:(?|(?'r')(\k'r')|((?'r')))h'rk'rf)|s(?'r'))))UWA12HEADERS
1854RL/var/www/UWA12URL|ARGS
1856RL/philboard_admin.aspUWA12URL|ARGS
1857RL/cgi-bin/lsUWA8URL|ARGS
1860RL/wp-includes/rss-functions.phpUWA12URL
1861RL/wp-content/themes/RightNow/includes/uploadify/upload_settings_image.phpUWA12BODY
1866RLxstdin|stdout|stderrUWA4BODY|URL|ARGS|HEADERS
1868RLX-Pingback-Forwarded-For:UWA8X-Forward-For
1869RLx/dev/(tcp|udp)UWA12BODY|ARGS|HEADERS
1870RL/sqlite/main.phpUWA12URL|ARGS
1871RLx(^|\W)php(_uname|credits|info|version)\(Injection12BODY|URL|ARGS|HEADERS
1872RLx/~(root|ftp|nobody)UWA12BODY|URL|ARGS
1873RL/htmlscriptUWA12URL
1876RL/post-queryUWA8URL
1879RLx[^/]https?:/UWA8URL
1882RLx(^|\W)javascript:XSS8BODY|URL|ARGS|HEADERS
1883RL/DatabaseFunctions.phpUWA8URL
1884RL/GlobalFunctions.phpUWA8URL
1885RL/UpdateClasses.phpUWA8URL
1886RL/scripts/setup.phpUWA12URL
1887RLx(phpinfo|phpsysinfo)\.phpUWA12URL
1888RL/server_sync.phpUWA12URL
1891RLPageServicesUWA8URL|ARGS
1892RL/htgrepUWA8URL
1893RL/WEB-INF/UWA12URL
1894RL/proc/self/UWA12BODY|URL|ARGS
1895RLphpb8b5f2a0-3c92-11d3-a3a9-4c7b08c10000UWA4ARGS
1896RLxphpe9568f3(4|5|6)-d428-11d2-a769-00aa001acf42UWA4ARGS
1897RLx/_vti_(adm|bin)/UWA12URL
1898RL/_vti_rpcUWA12URL
1899RL/server-statusUWA12URL
1900RL/balancer-managerUWA12URL
1901RL/host-manager/UWA12URL
1902RLfx29shcookUWA8URL
1903RLxact=\S+&(d|f)=UWA12BODY|ARGS
1904RLxact=(fxmailselfremove|encoder|eval|sql|phpinfo)UWA12BODY|ARGS
1905RLx_act=(execute|list\s+files|upload)UWA12BODY|ARGS
1906RLcmd_txt=1UWA8ARGS
1907RLc99.phpUWA12URL
1908RLx(\s|\+|#)cmd=UWA12BODY|URL|ARGS|HEADERS
1909RLxc999sh_surl|c999shvarsUWA12Cookie
1910RLwebconfig.txt.phpUWA12URL
1911RLwpad.datUWA12URL
1913RLcomposer.pharUWA8URL
1914RLxadminer.*\.phpUWA12URL
1915RLx(wso|r57|r57shell)\.phpUWA12URL
1917RL/admin/templates/header.phpUWA8URL
1918RL/soapcaller.bsUWA12URL
1919RL/plugin_googlemap2_proxy.phpUWA12URL
1920RL/images/stories/story.phpUWA12URL
1921RLx/plugins/system/.{1,50}\.phpUWA12URL
1922RL/.ssh/UWA12URL
1923RL/known_hostsUWA12URL
1924RL/authorized_keysUWA12URL
1925RLx\.(key|pem|id_rsa|id_dsa)($|\s)UWA12URL
1926RLx\.(sh|bash|nano|irb|psql|mysql)_history($|\s)UWA12URL
1927RLx\.(bac|bak|bkp|bkf|bkp|back|backup|bakup)($|\s)UWA12URL
1928RLx\.(history|histfile)($|\s)UWA12URL
1929RLproftpdpasswdUWA12URL
2100RLxnessus|acunetix|nmap|sqlmap|[nw]ikto|dirbuster|gobuster|w3af|webster|openvas|meterpreter|network-services-auditor|wpscan|hydra|XSpider|Nuclei|l9exploreScanner12User-agent
2101RLxabsinthe|autogetcolumn|bsqlbf|cisco-torch|crimscanner|appscan_fingerprint|amiga-aweb|digimarc webreaderScanner12User-agent
2102RLxsql\s+power\s+injector|dav\.pm|prog.customcrawler|whcc|grendel-scan|masscanScanner12User-agent
2103RLxshellshock-scan|thanks-rob|WebCruiser|webinspect|whisker|chinaclaw|whatweb|wordpress hash grabberScanner12User-agent
2104RLxmysqloit|netsparker|paros|pavuk|uil2pn|friendly-scanner|sundayddr|zmeu|sqlspider|EvasionsScanner12User-agent
2105RLxapachebench|datacha0s|nv32ts|brutus|arachni|synapse|havij|sucuri|sitelock|scanalertScanner12User-agent
2106RLxhttp_get_vars|n-stealth|picscout|t34mh4k|webshag|mozilla/\d+\.\d+\s+sfScanner12User-agent
2107RL++++++++resultScanner12URL
2112RL/jmx-console/htmladaptorScanner12URL
2115RLxphp/\d+\.|python-httplib|winhttprequest|pymills-spider/|^\.Scanner1User-agent
2116RLinternal dummy connectionScanner12User-agent
2400RLbase64Evasion2URL|ARGS
2401RLcghwaw5mbygpoyagEvasion12BODY|URL|ARGS|HEADERS
2402RLhttp://http://Other12HEADERS
2403RLxboundary=\S+[,|;]Evasion8Content-Type
2404RLmid%Evasion8URL|ARGS
2405RLdualEvasion2URL|ARGS
2406RLstrcmp(RCE8URL|ARGS
2407RLx(\\[0-7]{1,3}){3,}Evasion8BODY|URL|ARGS|HEADERS
2409RLx&#\d+;?Evasion0BODY|URL|ARGS|HEADERS|MLA
2411RLx(&#x[2-7]\w;(.|\s){0,50}){5,}Evasion0BODY|URL|ARGS|HEADERS|MLA
2413RLx(file|ftps?|https?)://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})Evasion12ARGS
2414RLx((merge.{0,50}?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(match\s*?[\w(),+-]+\s*?against\s*?\())RCE8ARGS|Cookie
2415RLdata:imageEvasion12URL
2416RLx(^|\W)(un)?hex\(Evasion12BODY|URL|ARGS|HEADERS
2700RL.exec(RCE12BODY|ARGS|Content-Type
2702RL/invoker/ejbinvokerservletOther12BODY|URL
2703RLservice:wanipconnection:Other12BODY
2704RL/struts2-blank/RCE12URL
2705RLx<[\s\+]*![\s\+]*(doctype|entity)[\s\+]+%*[\s\+]*[a-za-z1-9_-]*[\s\+]+systemOther12BODY
2706RLxmultipart/form-data;\s*boundary=[a-zA-Z0-9_-]{4000,}Other12Content-Type
2707RLjava.beans.eventhandlerRCE12BODY|ARGS
2708RLjava.lang.RCE12BODY|ARGS
2709RLtypo3_confOther12ARGS
2711RLx\(\s{0,50}\)\s{0,50}\{\s{0,50}\:Other12BODY|ARGS|HEADERS
2712RLname[0%20Other12BODY
2716RLxscript_fields.{0,50}import.{0,50}java\.utilRCE12BODY|ARGS
2717RLjava.io.RCE12BODY|ARGS
2718RLjava.util.RCE12BODY|ARGS
2719RLfill 'urlOther12BODY|URL|ARGS
2720RL$mftOther8BODY|ARGS
2721RLx\.\./|phpOther12ARGS|$URL:/components/com_hdflvplayer/hdflvplayer/download.php
2722RL.phOther12$URL:/uploader/server/php/
2723RLswp_url=httpOther12ARGS|$URL:/wp-admin/admin-post.php
2725RLsystem.listmethodsOther12$URL:/xmlrpc.php|BODY
2726RLsystem.getcapabilitiesOther12$URL:/xmlrpc.php|BODY
2727RLpingback.pingUWA12$URL:/xmlrpc.php|BODY
2728RLx['"`)][\s\+]*(OR|AND|\|\||\&\&)(\s+NOT)?[\s\+]+(.{1,25})[\s\+]*([\!\<\>]?\=|\<|\>)[\s\+]*(.{1,25})SQLi12BODY|URL|ARGS|User-agent
2729RLx(^|\W)((var)?char|chr)\W*=\W*["']SQLi12BODY|URL|ARGS|HEADERS
2730RLx(^|\W)name_const\(SQLi12BODY|URL|ARGS|HEADERS
2731WL%C0WL0Cookie
2733RLx\.([~-][\w]?|\$+)($|\s|\:)UWA12URL
2734RLx\w=\/(etc|usr|var|bin|sbin|lib|lib64|run|sys|dev|root|home|opt|srv|mnt)\/Other12BODY|ARGS
2735RLx(^|\W)draggable(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2736WLxFBCR\/(\&\#\d+\-)+WL0User-agent
2737RLxfilename\s*=\s*.+\.(php|pht|py|js\W|rb|pl|pm|cgi|aspx)Other8Content-Disposition
2738RLx(^|\W)xbshell\WOther12BODY|URL|ARGS|HEADERS
2739RLx(^|\W)union(\s|\+)+(all(\s|\+)+)?select\WSQLi12BODY|URL|ARGS|HEADERS
2740RLdeployment-config.jsonUWA12URL
2741RLftpsync.settingsUWA12URL
2742RLx(^|\W)convert\(SQLi12BODY|URL|ARGS|HEADERS
2743RLx(^|\W)(md5|crc32|sha1|hash|crypt)\(SQLi12BODY|URL|ARGS|HEADERS
2744RLx(^|\W)HashBytes\(SQLi12BODY|URL|ARGS|HEADERS
2745RLx(^|\W)extractvalue\(SQLi12BODY|URL|ARGS|HEADERS
2746RLxwaitfor(\s|\+)+delay\WSQLi12BODY|URL|ARGS|HEADERS
2747RLximg(\s|\+)*src=\"?(https?\:\/\/)?[\w|\.|\-|\/]+\.(txt|php|py|cgi|asp)RFI12BODY
2748RLeval-stdin.phpUWA12URL
2749RLx\s(OR|\|\||AND|\&\&)(\s*not)?\s*(['")]\w*['"(]|\w*)\s*[!]?=\s*(['")]\w*['"(]|\w*)\s*\-\-SQLi12BODY|URL|ARGS|User-agent
2750RL@pdiscoveryioScanner12User-agent
2751RLx(^|\W)function\(XSS12BODY|URL|ARGS|HEADERS
2752RLx(sql|old|bkp|bck|bckp|back|backup|archive)\.(zip|rar|7zip|bz2|gz|xz|lzma|tar|gz|tar\.gz)($|\s|\:)UWA12URL
2753RLx(^|\W)includecomponent\(RCE12BODY
2754RLx(^|\W)__schema\W*\{Other12BODY|ARGS
2755RLx\/\.\.[\;\+]UWA12URL
2756RLx(^|\W)script[\s\+]+xmlnsXSS12BODY|URL|ARGS|HEADERS
2757RLx(^|\W)tostring\(XSS12BODY|URL|ARGS|HEADERS
2758RLx(^|\W)shell_exec\(SQLi12BODY|URL|ARGS|HEADERS
2759RLx\=[\s\+]*\$\{\w+[\+\-\*\/]\w+\}RCE12BODY|ARGS
2760RLx(^|\W)nslookup\WRCE12BODY|URL|ARGS|HEADERS
2761RLx\|[\s\+]*([\/]*(\w|\.)+[\/]+)?(bash|perl|python|php)\WRCE8BODY|URL|ARGS|HEADERS
2762RLx(^|\W)gethostbyname\(RCE12BODY|URL|ARGS|HEADERS
2763RLx['"`)][\s\+]*(OR|AND|\|\||\&\&)(\s+NOT)?[\s\+\"\'\(\)]+(.{1,25})[\s\+\"\'\(\)]+([\!\<\>]?\=|\<|\>)[\s\+\"\'\(\)]+(.{1,25})SQLi12BODY|URL|ARGS|User-agent
2764WLx\w\-\-\wWL0BODY|URL|ARGS|HEADERS
2766RLxbxss\W*\.meScanner12BODY|URL|ARGS|HEADERS
2767RLsysdate(Injection12BODY|URL|ARGS|HEADERS
2768RLxon(waiting|pause|show|start|end|unload|drop|submit|close|after(print|scriptexecute)|contextmenu|cellchange)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2769RLxon(cuechange|(de)?activate|finish|fullscreenchange|hashchange|invalid|message|repeat)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2770RLxon(resize|scroll|search|seeked|seeking|timeupdate|touchend|touchmove|touchstart|volumechange)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2771RLxon(mozfullscreenchange|pagehide|pageshow|popstate|progress|readystatechange|transitioncancel|transitionrun|transitionstart|unhandledrejection)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2772RLxonwebkitanimation(end|iteration|start|end)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2773RLxonbefore((de)?activate|copy|cut|editfocus|paste|update|scriptexecute|input)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2774RLxonpointer(down|enter|leave|move|out|over|rawupdate|up)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2775RLxonanimation(cancel|iteration|start|end)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2776RLx(^|\W)strrev\(RCE12BODY|URL|ARGS|HEADERS
2777RLx(djy|qpy)l18\.comOther12ARGS
2778RLx(^|\W)execute\(RCE12BODY|URL|ARGS|HEADERS
2779RLx(^|\W)(atob|btoa)\(XSS12BODY|URL|ARGS|HEADERS
2780RLFuzz FasterScanner12User-agent
2781RLx(^|\W)get(Runtime|Response|Writer|Property|InputStream)\(RCE12BODY|Content-Type
2782RL.start(RCE12BODY|Content-Type
2783RLX-Scanner: NetsparkerScanner12X-Scanner
2784RLcodepoints-to-string(Injection12BODY|URL|ARGS|HEADERS
2785RLx(^|\W)substring\(Injection8BODY|URL|ARGS|HEADERS
2786RLstring-length(Injection12BODY|URL|ARGS|HEADERS
2787RLx(^|\W)starts-with\(Injection12BODY|URL|ARGS|HEADERS
2788RLx(^|\W)contains\(Injection8BODY|URL|ARGS|HEADERS
2789RLdb.collection.find(Injection12BODY|URL|ARGS|HEADERS
2790RLx(^|\W)match\(Injection8BODY|URL|ARGS|HEADERS
2791RLx(^|\W)document\[('|"|`)\w+('|"|`)\]XSS12BODY|URL|ARGS|HEADERS
2792RLknoxss.meScanner12BODY|URL|ARGS|HEADERS
2793RLx(^|\W)confirm(\.call)?\(XSS12BODY|URL|ARGS|HEADERS
2794RLx(^|\W)array\(RCE8BODY|URL|ARGS|HEADERS
2795RLarray_map(Injection12BODY|URL|ARGS|HEADERS
2796RLbase_convert(Injection12BODY|URL|ARGS|HEADERS
2797RLscaninfo@expanseinc.comScanner12User-agent
2798RL.xss.htScanner12BODY|URL|ARGS|HEADERS
2799RLx=\$\{\d+[+\-*%]\d+\}Injection8BODY|ARGS
2800RLload_file(SQLi12BODY|URL|ARGS|HEADERS
2801RLx(^|\W)start-sleep[\s\+]+\-RCE12BODY|URL|ARGS|HEADERS
2802RLx(^|\W)passthru\(RCE12BODY|URL|ARGS|HEADERS
2803RLx(^|\W)sleep\(RCE12BODY|URL|ARGS|HEADERS
2804RLx(^|\W)typeof\(RCE12BODY|URL|ARGS|HEADERS
2805RLx\Wisfinite\(RCE12BODY|URL|ARGS|HEADERS
2806RLx(^|\W)sleep[\s\+]+\dInjection8BODY|URL|ARGS|HEADERS
2807RLx(^|\W)prompt(\.call)?[(,`]XSS8BODY|URL|ARGS|HEADERS
2808RLx(^|\W)substr\(RCE8BODY|URL|ARGS|HEADERS
2809RLx(^|\W)ord\(Injection8BODY|URL|ARGS|HEADERS
2810RLx(^|\W)mid\(SQLi8BODY|URL|ARGS|HEADERS
2811RLx(^|\W)ifnull\(SQLi12BODY|URL|ARGS|HEADERS
2812RLx(^|\W)cast\(SQLi8BODY|URL|ARGS|HEADERS
2813RLx(^|\W)database\(SQLi8BODY|URL|ARGS|HEADERS
2814RLscaninfo@paloaltonetworks.comScanner12User-agent
2815RLx(^|\W)require\(Injection8BODY|URL|ARGS|HEADERS
2816RLx(^|\W)endianness\(RCE12BODY|URL|ARGS|HEADERS
2817RLcharCodeAt(XSS12BODY|URL|ARGS|HEADERS
2818RLx(^|\W)fillrect\(XSS12BODY|URL|ARGS|HEADERS
2819RLfromcharcode(XSS12BODY|URL|ARGS|HEADERS
2820RLx@Grab(Config|Resolver)?\(RCE12BODY|URL|ARGS|HEADERS
2821RLx(^|\W)r87\.(com|me)\WScanner12BODY|URL|ARGS|HEADERS
2822RLx(^|\W)echo(\s|\+)+\$\(OSCI8BODY|URL|ARGS|HEADERS
2823RLx(^|\W)echo(\s|\+)+(\-\w+(\s|\+)+)?[\'\"\`]OSCI8BODY|URL|ARGS|HEADERS
2824RLx(database|db|dump)\.tar(\.gz)?($|\s|\:)UWA12URL
2826RLx(^|\W)alert\.name\WXSS12BODY|URL|ARGS|HEADERS
2827RL.newInstance(SQLi12BODY|URL|ARGS|HEADERS
2828RL.forName(SQLi12BODY|URL|ARGS|HEADERS
2829RLxconfig\.inc(\.(bz2|gz|xz|tar(\.(bz2|gz|lzma|xz))?))?($|\s|\:)UWA12URL
2830RLxconfig\.(bz2|gz|xz|tar(\.(bz2|gz|lzma|xz))?)($|\s|\:)UWA12URL
2831WLOpen BSDWL0User-agent
2832RLx(^|\W)db.bz2($|\s|\:)UWA12URL
2833RLconfig_db.phpUWA12URL
2834RLx(^|\W)cat_code\WSQLi8BODY|URL|ARGS|HEADERS
2835RLx-wvs-idScanner12HEADERS
2836RLx(^|\W)(un)?escape\WXSS6BODY|URL|ARGS|HEADERS
2837WLx\$\{(ad_id|platform|campaign_id)\}WL0BODY|ARGS|HEADERS
2838RLx(^|\W)updatexml\(SQLi12BODY|URL|ARGS|HEADERS
2839RLx(^|\W)valueOf\W*(\(|\'|\"|.)XSS8BODY|URL|ARGS|HEADERS
2840RLJSON.stringify(XSS8BODY|URL|ARGS|HEADERS
2841RLx(^|\W)window\.[a-z]XSS4BODY|URL|ARGS|HEADERS
2842RLx(^|\W)(global|window)eventhandlers\.[a-z]XSS8BODY|URL|ARGS|HEADERS
2843RLx(^|\W)globalthis\WXSS6BODY|URL|ARGS|HEADERS
2844RLx(^|\W)fopen\(RCE8BODY|URL|ARGS|HEADERS
2845RLx(^|\W)f(write|puts)\(RCE8BODY|URL|ARGS|HEADERS
2846RLx(^|\W)printenv\WOSCI8BODY|URL|ARGS|HEADERS
2847WLgpg.keyWL0URL
2848RLx(^|\W)ini_set\(RCE12BODY|URL|ARGS|HEADERS
2849RLset_time_limit(RCE12BODY|URL|ARGS|HEADERS
2850RLx(^|\W)isset\(RCE8BODY|URL|ARGS|HEADERS
2851RL/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.phpUWA12URL
2852RL.interact.shScanner12BODY|URL|ARGS|HEADERS
2853RLreflect.apply(XSS8BODY|URL|ARGS|HEADERS
2854RLpromise.all(XSS8BODY|URL|ARGS|HEADERS
2855RL.then(alertXSS8BODY|URL|ARGS|HEADERS
2856RL/backup/UWA12URL
2857RL0x00Evasion4BODY|URL|ARGS|HEADERS
2858RLstring.fromcodepoint(XSS12BODY|URL|ARGS|HEADERS
2859RL.tolowercase(XSS8BODY|URL|ARGS|HEADERS
2860RLnetsystemsresearch.comScanner12User-agent
2861RLinternet-structure-research-project-botScanner12User-agent
2862RL/config.bak.phpUWA12URL
2863RLanonymousfox.coScanner12Referer
2864RLsystem.multicallOther12BODY|$URL:/xmlrpc.php
2865RLx\/wp-config\.(orig|txt|php[._](bak|old|new))UWA12URL
2866RLxjndi\:(dns|rmi|iiop|ldap)\:\/\/RCE12BODY|URL|ARGS|HEADERS
2867RLx\$\{(lower|upper)\:RCE8BODY|URL|ARGS|HEADERS
2868RLx\$[\\]?\{\:\:\-[jndilaprmso][\\]?\}RCE8BODY|URL|ARGS|HEADERS
2869RLx\$[\\]?\{env\:ENV_NAME\:\-[jndilaprmso][\\]?\}RCE8BODY|URL|ARGS|HEADERS
2870RLstr_pad(RCE8BODY|URL|ARGS|HEADERS
2871RLmysqli::RCE8BODY|URL|ARGS|HEADERS
2872RL/.aws/credentialsUWA12URL
2873RLx\.pydevproject($|\s|\:)UWA12URL
2874RLBluechipBacklinksScanner12User-agent
2875RLrookee.botScanner12User-agent
2876RLx(alfa_data|alfacgiapi|cgialfa)\/.{0,50}\.alfa($|\s|\/|\:)UWA12URL
2877RL.httpservletresponseRCE8BODY|Content-Type
2878RLx\/(db|backup|config)\d*\.(bz2|gz|tar|xz|lzma)($|\s|\:)UWA8URL
2879RLx(^|\W)var_dump\(RCE8BODY|URL|ARGS|HEADERS
2880RLwp_is_mobileScanner12User-agent
2881RLPHP/{5|6|7}Scanner12User-agent
2882RLclass.classloader.resources.dircontext.docbaseRCE8ARGS
2883RLgithub.com/gocollyScanner12User-agent
2884RL.get_host_address(SQLi12BODY|URL|ARGS|HEADERS
2885RLxCensysInspect|censys\.ioScanner12User-agent
2886RLx\.(git|svn)UWA8URL
2887RL.touppercase(XSS8BODY|URL|ARGS|HEADERS
2888RL0x[]RCE8BODY
2889RL0x[]=androxgh0stRCE12BODY
2890RLxwhile\s*\(RCE4BODY|URL|ARGS|HEADERS
2891RL.equals(RCE4BODY|URL|ARGS|HEADERS
2892RLclass.module.classLoaderRCE12BODY|URL|ARGS|HEADERS
2893RL.getInputStream(RCE8BODY|URL|ARGS|HEADERS
2894RL.getRuntime(RCE8BODY|URL|ARGS|HEADERS
2895RL.getParameter(RCE8BODY|URL|ARGS|HEADERS
2896RLx\.queryselector(all)?\(XSS8BODY|URL|ARGS|HEADERS
2897RLspringframework.context.support.FileSystemXmlApplicationContextRCE8BODY|URL|ARGS|HEADERS
2898RLxreflect\.(apply|cons|def|del|get|has|isext|own|prev|set)XSS4BODY|URL|ARGS|HEADERS
2899RLsort.callXSS2BODY|URL|ARGS|HEADERS
2900RLeval.applyXSS4BODY|URL|ARGS|HEADERS
2901RL.surf.ias-lab.deScanner12ARGS
2902RL.shift()XSS2BODY|URL|ARGS|HEADERS
2903RL.with(XSS2BODY|URL|ARGS|HEADERS
2904RL__class__RCE4BODY|ARGS|HEADERS
2905RLx(^|\W)(wget|curl)\WRCE2BODY|ARGS|Referer
2906RLx(^|\W)alert\WXSS4BODY|URL|ARGS|HEADERS
2907RL.getResource(RCE8BODY|URL|ARGS|HEADERS
2908RLx\{\s*php\s*\}RCE4BODY|URL|ARGS|HEADERS
2909RLfreemarker.template.utility.executeRCE8BODY
2910RLx(^|\W)window\[XSS4BODY|URL|ARGS|HEADERS
2911RLMakeViewVariableOptionalSolutionRCE12BODY
2912RLx(^|\W)attr\(XSS2BODY|URL|ARGS|HEADERS
2913RL@(Injection2BODY|URL|ARGS|HEADERS
2914RL{$Injection2BODY|URL|ARGS|HEADERS
2915RLx:[\/\\]+windows[\/\\]+UWA8BODY|URL|ARGS|HEADERS
2917RLx['"][\s+]*;[\s+]*return[\s+]Injection4BODY|URL|ARGS|HEADERS
2918RLx;[\s+]*([\/]([usrbinloca?]{3,5}[\/]){1,4})?([cat?]{3,3}|[les?]{4,4})[\s+]+[\/]?\w+Evasion2BODY|URL|ARGS|HEADERS
2919RLxecho[\s+]+varInjection4BODY|URL|ARGS|HEADERS
2920RLxexec[\s+]+cmdInjection4BODY|URL|ARGS|HEADERS
2921RLx(^|\W)location\.(ancestor|href|protocol|host|pathname|search|hash|origin)XSS12BODY|URL|ARGS|HEADERS
2922RL<%=Injection4BODY|URL|ARGS|HEADERS
2923RLxtop\[.{1,50}\]\(XSS8BODY|URL|ARGS|HEADERS
2924RL.map(XSS4BODY|URL|ARGS|HEADERS
2925RLx&([lr]par|quot|apos|grave|tab|nbsp);Evasion0BODY|URL|ARGS|HEADERS|MLA
2926RLx\/(etc|usr|var|bin|sbin)\/UWA2BODY|URL|ARGS|HEADERS
2927RL#{Injection2BODY|URL|ARGS
2928RLx\{\{[_]*self.*\}\}Injection8BODY|URL|ARGS|HEADERS
2929RLxondata(available|setchanged|setcomplete)?(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2930RLxondrag(end|enter|leave|start|over)?(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2931RLxonmove(end|start)?(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2932RLxonrow(enter|exit|s(delete|inserted))(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2933RLxon(load(start|eddata)?|focus(in|out)?|key(down|press|up)|pointer(over|enter|down|move|up|cancel|out|leave))(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2934RLdict://UWA8BODY|ARGS
2935RLsftp://UWA8BODY|ARGS
2936RLtftp://UWA8BODY|ARGS
2937RLldap://UWA8BODY|ARGS
2938RLgopher://UWA8BODY|ARGS
2939RLnetdoc://UWA8BODY|ARGS
2940RLx\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and|where):Injection4BODY|URL|ARGS|HEADERS
2941RLdb.injection.insert(Injection12BODY|URL|ARGS|HEADERS
2942RLx\.oast\.(me|pro)Scanner12BODY|URL|ARGS|HEADERS
2943RL*{Injection2BODY|URL|ARGS
2944RLBugBountyBotScanner12User-agent
2945RLx\$0\s*<<<\s*\$Evasion8BODY|URL|ARGS|HEADERS
2946RLconsole.log(XSS8BODY|URL|ARGS|HEADERS
2947RLnavigation.onnavigateXSS8BODY|URL|ARGS|HEADERS
2948RLdocument.queryselector(XSS8BODY|URL|ARGS|HEADERS
2949RL.setAttribute(XSS8BODY|URL|ARGS|HEADERS
2950RLjson_depth(SQLi8BODY|URL|ARGS|HEADERS
2951RLx(^|\W)printf\WOSCI8BODY|URL|ARGS|HEADERS
2952RLx-web-scanner-infoScanner8HEADERS
2953RL/(s(x))UWA2URL
2954RLx\|\s*set\sOSCI8BODY|URL|ARGS|HEADERS
2955RLx[^-:=\.\w\|]json_(array|contains_path|depth|extract|keys|length|object|quote|search|type|unquote|valid)[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
2956RL`id`OSCI4BODY|URL|ARGS|HEADERS
2957RLcurl_setopt(RCE8BODY|URL|ARGS|HEADERS
2958RLx(^|\W)stristr\(RCE8BODY|URL|ARGS|HEADERS
2959RLfile_get_contents(RCE8BODY|URL|ARGS|HEADERS
2960RLx\$_(GET|POST|FILES)\[RCE8BODY|URL|ARGS|HEADERS
2961RLg=echo Sp3ctra;UWA12Cookie
2962RLx{{\s*(\d+|'\d+')\s*[*+]\s*(\d+|'\d+')?\s*}}Injection8BODY|URL|ARGS
2963RLx{{\s*\d+\s*\|add:\s*\d+\s*}}Injection8BODY|URL|ARGS
2964RLx(^|\W)import\(XSS8BODY|URL|ARGS|HEADERS

Description:
RL - a blacklist rule ("x" - with regular expression).
WL - a whitelist rule ("x" - with regular expression).


Nemesida WAF
Protecting оnline stores, web portals, API and other web applications against hacker attacks using the Nemesida AI.