1 )|(?:[^\w\s]\s*\/>)|(?:>")]]> finds html breaking injections including whitespace attacks xss csrf 4 2 \w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")]]> finds attribute breaking injections including whitespace attacks xss csrf 4 69 finds malicious attribute injection attempts xss csrf 6 3 [\w\s]*<\/?\w{2,}>)]]> finds unquoted attribute breaking injections xss csrf 2 4 ]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]> Detects url-, name-, JSON, and referrer-contained payload attacks xss csrf 5 5 Detects hash-contained xss payload attacks, setter usage and property overloading xss csrf 5 6 Detects self contained xss via with(), common loops and regex to string conversion xss csrf 5 7 Detects JavaScript with(), ternary operators and XML predicate attacks xss csrf 5 8 Detects self-executing JavaScript functions xss csrf 5 9 Detects the IE octal, hex and unicode entities xss csrf 2 10 Detects basic directory traversal dt id lfi 5 11 Detects specific directory and path traversal dt id lfi 5 12 Detects etc/passwd inclusion attempts dt id lfi 5 13 Detects halfwidth/fullwidth encoded unicode HTML breaking attempts xss csrf 3 14 Detects possible includes and packed functions xss csrf id rfe 5 15 \-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+Events?|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]> Detects JavaScript DOM/miscellaneous properties and methods xss csrf id rfe 6 16 \-\|])(\s*return\s*)?(?:alert|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]> Detects possible includes and typical script methods xss csrf id rfe 5 17 \-\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%",.+\-]))]]> Detects JavaScript object properties and methods xss csrf id rfe 4 18 \-\|])(\s*return\s*)?(?:join|pop|push|reverse|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]> Detects JavaScript array properties and methods xss csrf id rfe 4 19 \-\|])(\s*return\s*)?(?:atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]> Detects JavaScript string properties and methods xss csrf id rfe 4 20 \-\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]> Detects JavaScript language constructs xss csrf id rfe 4 21 Detects very basic XSS probings xss csrf id rfe 3 22 Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces xss csrf id rfe 5 23 Detects JavaScript location/document property access and window access obfuscation xss csrf 5 24 Detects basic obfuscated JavaScript script injections xss csrf 5 25 Detects obfuscated JavaScript script injections xss csrf 5 26 Detects JavaScript cookie stealing and redirection attempts xss csrf 4 27 Detects data: URL injections and common URI schemes xss rfe 5 28 Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution xss rfe lfi csrf 5 29 Detects bindings and behavior injections xss csrf rfe 4 30 Detects common XSS concatenation patterns 1/2 xss csrf id rfe 4 31 Detects common XSS concatenation patterns 2/2 xss csrf id rfe 4 32 Detects possible event handlers xss csrf 4 33 ]*)t(?!rong))|(?:\ Detects obfuscated script tags and XML wrapped HTML xss 4 34 Detects attributes in closing tags and conditional compilation tokens xss csrf 4 35 )|(?:\/\*|\*\/)|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:)]]> Detects common comment types xss csrf id 3 36 )|(?:opera\s*\.\s*\w+\s*\()]]> Detects comments to exploit firefox' faulty rendering and proprietary opera attacks xss csrf id 3 37 Detects base href injections and XML entity injections xss csrf id 5 38 Detects possibly malicious html elements including some attributes xss csrf id rfe lfi 4 39 Detects nullbytes and HTTP response splitting id rfe xss 5 40 Detects MySQL comments, conditions and ch(a)r injections sqli id lfi 6 41 ~])|(?:if\s?\([\d\w]\s*[=<>~])]]> Detects conditional SQL injection attempts sqli id lfi 4 42 Detects classic SQL injection probings 1/2 sqli id lfi 6 43 %+-][\w-]+[^\w\s]+"[^,])]]> Detects classic SQL injection probings 2/2 sqli id lfi 6 44 =(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]> Detects basic SQL authentication bypass attempts 1/3 sqli id lfi 7 45 Detects basic SQL authentication bypass attempts 2/3 sqli id lfi 7 46 ^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]> Detects basic SQL authentication bypass attempts 3/3 sqli id lfi 7 47 "]\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]> Detects concatenated basic SQL injection and SQLLFI attempts sqli id lfi 5 48 Detects chained SQL injection attempts 1/2 sqli id 6 49 Detects chained SQL injection attempts 2/2 sqli id 6 50 Detects SQL benchmark and sleep injection attempts including conditional queries sqli id 4 51 Detects MySQL UDF injection and other data/structure manipulation attempts sqli id 6 52 Detects MySQL charset switch and MSSQL DoS attempts sqli id 6 53 Detects MySQL and PostgreSQL stored procedure/function injections sqli id 7 54 Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts sqli id 5 55 Detects MSSQL code execution and information gathering attempts sqli id 5 56 Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections sqli id 5 57 Detects MySQL comment-/space-obfuscated injections sqli id 5 58 )?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]> Detects code injection attempts 1/3 id rfe lfi 7 59 Detects code injection attempts 2/3 id rfe lfi 7 60 Detects code injection attempts 3/3 id rfe lfi 7 61 Detects url injections and RFE attempts id rfe lfi 5 62 Detects common function declarations and special JS operators id rfe lfi 5 63 Detects common mail header injections id spam 5 64 Detects perl echo shellcode injection and LDAP vectors lfi rfe 5 65 Detects basic XSS DoS attempts rfe dos 5 67 Detects unknown attack vectors based on PHPIDS Centrifuge detection xss csrf id rfe lfi 7 68 ))]]> finds attribute breaking injections including obfuscated attributes xss csrf 4