Na}{

File Content: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

# ------------------------------------------------------------------------
# OWASP CRS ver.4.7.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#

#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
# http://projects.webappsec.org/w/page/13246960/Session%20Fixation
# http://capec.mitre.org/data/definitions/61.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
    "id:943100,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-fixation',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/225/21/593/61',\
    ver:'OWASP_CRS/4.7.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
    "id:943110,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
    logdata:'Matched Data: %{TX.0} found within %{TX.943110_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-fixation',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/225/21/593/61',\
    ver:'OWASP_CRS/4.7.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
    chain"
    SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" \
        "capture,\
        chain"
        SecRule TX:1 "!@endsWith %{request_headers.host}" \
            "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
    "id:943120,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
    logdata:'Matched Data: %{TX.0} found within %{TX.943120_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-fixation',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/225/21/593/61',\
    ver:'OWASP_CRS/4.7.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
    chain"
    SecRule &REQUEST_HEADERS:Referer "@eq 0" \
        "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

Name	Size	Permission
10_modsecurity_crs_10_config.conf	37009 bytes	0644
999_dreamhost_request_limits.conf	5308 bytes	0644
99_dreamhost_rules.conf	14332 bytes	0644
99_modsec-crs-setup.conf	32757 bytes	0644
REQUEST-00-LOCAL-WHITELIST.conf	9043 bytes	0644
REQUEST-901-INITIALIZATION.conf	14718 bytes	0644
REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf	13555 bytes	0644
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf	25812 bytes	0644
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf	10642 bytes	0644
REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf	7822 bytes	0644
REQUEST-905-COMMON-EXCEPTIONS.conf	1649 bytes	0644
REQUEST-911-METHOD-ENFORCEMENT.conf	2982 bytes	0644
REQUEST-913-SCANNER-DETECTION.conf	3622 bytes	0644
REQUEST-920-PROTOCOL-ENFORCEMENT.conf	64491 bytes	0644
REQUEST-921-PROTOCOL-ATTACK.conf	21029 bytes	0644
REQUEST-930-APPLICATION-ATTACK-LFI.conf	8134 bytes	0644
REQUEST-931-APPLICATION-ATTACK-RFI.conf	8932 bytes	0644
REQUEST-933-APPLICATION-ATTACK-PHP.conf	32894 bytes	0644
REQUEST-934-APPLICATION-ATTACK-NODEJS.conf	3927 bytes	0644
REQUEST-942-APPLICATION-ATTACK-SQLI.conf	96560 bytes	0644
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf	5628 bytes	0644
REQUEST-944-APPLICATION-ATTACK-JAVA.conf	22516 bytes	0644
REQUEST-949-BLOCKING-EVALUATION.conf	8176 bytes	0644
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf	4122 bytes	0644
WPtoolUA.data	318 bytes	0644
cachefly.ips.data	166 bytes	0644
crawlers-user-agents.data	786 bytes	0644
dh_whitelist_ip.data	0 bytes	0644
fastly.ips.data	189 bytes	0644
incapsula.ips.data	110 bytes	0644
java-classes.data	1826 bytes	0644
java-code-leakages.data	264 bytes	0644
java-errors.data	240 bytes	0644
lfi-os-files.data	11712 bytes	0644
maxcdn.ips.data	623 bytes	0644
mod_sec.conf	2078 bytes	0644
modsecurity_46_slr_et_joomla.data	1731 bytes	0644
modsecurity_46_slr_et_wordpress.data	1729 bytes	0644
php-config-directives.data	12725 bytes	0644
php-errors.data	75989 bytes	0644
php-function-names-933150.data	3414 bytes	0644
php-function-names-933151.data	38099 bytes	0644
php-variables.data	610 bytes	0644
restricted-files.data	4066 bytes	0644
restricted-upload.data	2513 bytes	0644
scanners-headers.data	216 bytes	0644
scanners-urls.data	418 bytes	0644
scanners-user-agents.data	1950 bytes	0644
scripting-user-agents.data	717 bytes	0644
sig_inspect.lua	68157 bytes	0644
spam-mailer.data	84 bytes	0644
sql-errors.data	4373 bytes	0644
staminus.ips.data	228 bytes	0644
unix-shell.data	7837 bytes	0644
windows-powershell-commands.data	7222 bytes	0644