Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF)
rules with dozens of signatures that are compiled from open source industry
standards. Each signature corresponds to an attack detection
rule in the ruleset. Google offers these rules as-is. The rules allow
Google Cloud Armor to evaluate dozens of distinct traffic signatures by
referring to conveniently named rules rather than requiring you to define
each signature manually.
Google Cloud Armor preconfigured WAF rules can be tuned to best suit your needs. For more
information about how to tune the rules, see
Tune Google Cloud Armor preconfigured WAF rules.
The following table contains a comprehensive list of preconfigured WAF rules
that are available for use in a Google Cloud Armor security policy. The
rule sources are ModSecurity Core Rule Set (CRS) 3.0 and
CRS 3.3.
We recommend that you use version 3.3 for increased sensitivity and for an
increased breadth of protected attack types. Support for CRS 3.0 is ongoing.
CRS 3.3
| Google Cloud Armor rule name |
ModSecurity rule name |
Current status |
| SQL injection |
sqli-v33-stable |
In sync with sqli-v33-canary |
sqli-v33-canary |
Latest |
| Cross-site scripting |
xss-v33-stable |
In sync with xss-v33-canary |
xss-v33-canary |
Latest |
| Local file inclusion |
lfi-v33-stable |
In sync with lfi-v33-canary |
lfi-v33-canary |
Latest |
| Remote file inclusion |
rfi-v33-stable |
In sync with rfi-v33-canary |
rfi-v33-canary |
Latest |
| Remote code execution |
rce-v33-stable |
In sync with rce-v33-canary |
rce-v33-canary |
Latest |
| Method enforcement |
methodenforcement-v33-stable |
In sync with methodenforcement-v33-canary |
methodenforcement-v33-canary |
Latest |
| Scanner detection |
scannerdetection-v33-stable |
In sync with scannerdetection-v33-canary |
scannerdetection-v33-canary |
Latest |
| Protocol attack |
protocolattack-v33-stable |
In sync with protocolattack-v33-canary |
protocolattack-v33-canary |
Latest |
| PHP injection attack |
php-v33-stable |
In sync with php-v33-canary |
php-v33-canary |
Latest |
| Session fixation attack |
sessionfixation-v33-stable |
In sync with sessionfixation-v33-canary |
sessionfixation-v33-canary |
Latest |
| Java attack |
java-v33-stable |
In sync with java-v33-canary |
java-v33-canary |
Latest |
| NodeJS attack |
nodejs-v33-stable |
In sync with nodejs-v33-canary |
nodejs-v33-canary |
Latest |
CRS 3.0
| Google Cloud Armor rule name |
ModSecurity rule name |
Current status |
| SQL injection |
sqli-stable |
In sync with sqli-canary |
sqli-canary |
Latest |
| Cross-site scripting |
xss-stable |
In sync with xss-canary |
xss-canary |
Latest |
| Local file inclusion |
lfi-stable |
In sync with lfi-canary |
lfi-canary |
Latest |
| Remote file inclusion |
rfi-stable |
In sync with rfi-canary |
rfi-canary |
Latest |
| Remote code execution |
rce-stable |
In sync with rce-canary |
rce-canary |
Latest |
| Method enforcement |
methodenforcement-stable |
In sync with methodenforcement-canary |
methodenforcement-canary |
Latest |
| Scanner detection |
scannerdetection-stable |
In sync with scannerdetection-canary |
scannerdetection-canary |
Latest |
| Protocol attack |
protocolattack-stable |
In sync with protocolattack-canary |
protocolattack-canary |
Latest |
| PHP injection attack |
php-stable |
In sync with php-canary |
php-canary |
Latest |
| Session fixation attack |
sessionfixation-stable |
In sync with sessionfixation-canary |
sessionfixation-canary |
Latest |
| Java attack |
Not included |
| NodeJS attack |
Not included |
In addition, the following cve-canary rules are available to all
Google Cloud Armor customers to help detect and optionally block the
following vulnerabilities:
CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities942550-sqli JSON-formatted content vulnerability
| Google Cloud Armor rule name |
Covered vulnerability types |
cve-canary |
Log4j vulnerability |
json-sqli-canary |
JSON-based SQL injection bypass vulnerability |
Each preconfigured WAF rule has a sensitivity level that corresponds to a
ModSecurity
paranoia level.
A lower sensitivity level indicates a higher confidence signature, which is less
likely to generate a false positive. A higher sensitivity level increases
security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the SQLi preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id942100-sqli |
1 |
SQL Injection Attack Detected via libinjection |
owasp-crs-v030301-id942140-sqli |
1 |
SQL injection attack: Common DB Names Detected |
owasp-crs-v030301-id942160-sqli |
1 |
Detects blind SQLi tests using sleep() or benchmark() |
owasp-crs-v030301-id942170-sqli |
1 |
Detects SQL benchmark and sleep injection attempts including
conditional queries |
owasp-crs-v030301-id942190-sqli |
1 |
Detects MSSQL code execution and information gathering attempts |
owasp-crs-v030301-id942220-sqli |
1 |
Looks for integer overflow attacks |
owasp-crs-v030301-id942230-sqli |
1 |
Detects conditional SQL injection attempts |
owasp-crs-v030301-id942240-sqli |
1 |
Detects MySQL charset switch and MSSQL DoS attempts |
owasp-crs-v030301-id942250-sqli |
1 |
Detects MATCH AGAINST |
owasp-crs-v030301-id942270-sqli |
1 |
Looks for basic SQL injection; common attack string for MySql |
owasp-crs-v030301-id942280-sqli |
1 |
Detects Postgres pg_sleep injection |
owasp-crs-v030301-id942290-sqli |
1 |
Finds basic MongoDB SQL injection attempts |
owasp-crs-v030301-id942320-sqli |
1 |
Detects MySQL and PostgreSQL stored procedure/function injections |
owasp-crs-v030301-id942350-sqli |
1 |
Detects MySQL UDF injection and other data/structure manipulation
attempts |
owasp-crs-v030301-id942360-sqli |
1 |
Detects concatenated basic SQL injection and SQLLFI attempts |
owasp-crs-v030301-id942500-sqli |
1 |
MySQL in-line comment detected |
owasp-crs-v030301-id942110-sqli |
2 |
SQL injection attack: Common Injection Testing Detected |
owasp-crs-v030301-id942120-sqli |
2 |
SQL injection attack: SQL Operator Detected |
owasp-crs-v030301-id942130-sqli |
2 |
SQL Injection Attack: SQL Tautology Detected |
owasp-crs-v030301-id942150-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942180-sqli |
2 |
Detects basic SQL authentication bypass attempts 1/3 |
owasp-crs-v030301-id942200-sqli |
2 |
Detects MySQL comment-/space-obfuscated injections and backtick
termination |
owasp-crs-v030301-id942210-sqli |
2 |
Detects chained SQL injection attempts 1/2 |
owasp-crs-v030301-id942260-sqli |
2 |
Detects basic SQL authentication bypass attempts 2/3 |
owasp-crs-v030301-id942300-sqli |
2 |
Detects MySQL comments |
owasp-crs-v030301-id942310-sqli |
2 |
Detects chained SQL injection attempts 2/2 |
owasp-crs-v030301-id942330-sqli |
2 |
Detects classic SQL injection probings 1/2 |
owasp-crs-v030301-id942340-sqli |
2 |
Detects basic SQL authentication bypass attempts 3/3 |
owasp-crs-v030301-id942361-sqli |
2 |
Detects basic SQL injection based on keyword alter or union |
owasp-crs-v030301-id942370-sqli |
2 |
Detects classic SQL injection probings 2/3 |
owasp-crs-v030301-id942380-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942390-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942400-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942410-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942470-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942480-sqli |
2 |
SQL injection attack |
owasp-crs-v030301-id942430-sqli |
2 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (12) |
owasp-crs-v030301-id942440-sqli |
2 |
SQL Comment Sequence Detected |
owasp-crs-v030301-id942450-sqli |
2 |
SQL Hex Encoding Identified |
owasp-crs-v030301-id942510-sqli |
2 |
SQLi bypass attempt by ticks or backticks detected |
owasp-crs-v030301-id942251-sqli |
3 |
Detects HAVING injections |
owasp-crs-v030301-id942490-sqli |
3 |
Detects classic SQL injection probings 3/3 |
owasp-crs-v030301-id942420-sqli |
3 |
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (8) |
owasp-crs-v030301-id942431-sqli |
3 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (6) |
owasp-crs-v030301-id942460-sqli |
3 |
Meta-Character Anomaly Detection Alert - Repetitive Non-Word
Characters |
owasp-crs-v030301-id942101-sqli |
3 |
SQL Injection Attack Detected via libinjection |
owasp-crs-v030301-id942511-sqli |
3 |
SQLi bypass attempt by ticks detected |
owasp-crs-v030301-id942421-sqli |
4 |
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (3) |
owasp-crs-v030301-id942432-sqli |
4 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (2) |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
Not included |
1 |
SQL Injection Attack Detected via libinjection |
owasp-crs-v030001-id942140-sqli |
1 |
SQL injection attack: Common DB Names Detected |
owasp-crs-v030001-id942160-sqli |
1 |
Detects blind SQLi tests using sleep() or benchmark() |
owasp-crs-v030001-id942170-sqli |
1 |
Detects SQL benchmark and sleep injection attempts including
conditional queries |
owasp-crs-v030001-id942190-sqli |
1 |
Detects MSSQL code execution and information gathering attempts |
owasp-crs-v030001-id942220-sqli |
1 |
Looks for integer overflow attacks |
owasp-crs-v030001-id942230-sqli |
1 |
Detects conditional SQL injection attempts |
owasp-crs-v030001-id942240-sqli |
1 |
Detects MySQL charset switch and MSSQL DoS attempts |
owasp-crs-v030001-id942250-sqli |
1 |
Detects MATCH AGAINST |
owasp-crs-v030001-id942270-sqli |
1 |
Looks for basic SQL injection; common attack string for MySql |
owasp-crs-v030001-id942280-sqli |
1 |
Detects Postgres pg_sleep injection |
owasp-crs-v030001-id942290-sqli |
1 |
Finds basic MongoDB SQL injection attempts |
owasp-crs-v030001-id942320-sqli |
1 |
Detects MySQL and PostgreSQL stored procedure/function injections |
owasp-crs-v030001-id942350-sqli |
1 |
Detects MySQL UDF injection and other data/structure manipulation
attempts |
owasp-crs-v030001-id942360-sqli |
1 |
Detects concatenated basic SQL injection and SQLLFI attempts |
Not included |
1 |
MySQL in-line comment detected |
owasp-crs-v030001-id942110-sqli |
2 |
SQL injection attack: Common Injection Testing Detected |
owasp-crs-v030001-id942120-sqli |
2 |
SQL injection attack: SQL Operator Detected |
Not included |
2 |
SQL Injection Attack: SQL Tautology Detected |
owasp-crs-v030001-id942150-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942180-sqli |
2 |
Detects basic SQL authentication bypass attempts 1/3 |
owasp-crs-v030001-id942200-sqli |
2 |
Detects MySQL comment-/space-obfuscated injections and backtick
termination |
owasp-crs-v030001-id942210-sqli |
2 |
Detects chained SQL injection attempts 1/2 |
owasp-crs-v030001-id942260-sqli |
2 |
Detects basic SQL authentication bypass attempts 2/3 |
owasp-crs-v030001-id942300-sqli |
2 |
Detects MySQL comments |
owasp-crs-v030001-id942310-sqli |
2 |
Detects chained SQL injection attempts 2/2 |
owasp-crs-v030001-id942330-sqli |
2 |
Detects classic SQL injection probings 1/2 |
owasp-crs-v030001-id942340-sqli |
2 |
Detects basic SQL authentication bypass attempts 3/3 |
Not included |
2 |
Detects basic SQL injection based on keyword alter or union |
Not included |
2 |
Detects classic SQL injection probings 2/3 |
owasp-crs-v030001-id942380-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942390-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942400-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942410-sqli |
2 |
SQL injection attack |
Not included |
2 |
SQL injection attack |
Not included |
2 |
SQL injection attack |
owasp-crs-v030001-id942430-sqli |
2 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (12) |
owasp-crs-v030001-id942440-sqli |
2 |
SQL Comment Sequence Detected |
owasp-crs-v030001-id942450-sqli |
2 |
SQL Hex Encoding Identified |
Not included |
2 |
SQLi bypass attempt by ticks or backticks detected |
owasp-crs-v030001-id942251-sqli |
3 |
Detects HAVING injections |
Not included |
2 |
Detects classic SQL injection probings 3/3 |
owasp-crs-v030001-id942420-sqli |
3 |
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (8) |
owasp-crs-v030001-id942431-sqli |
3 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (6) |
owasp-crs-v030001-id942460-sqli |
3 |
Meta-Character Anomaly Detection Alert - Repetitive Non-Word
Characters |
Not included |
3 |
SQL Injection Attack Detected via libinjection |
Not included |
3 |
SQLi bypass attempt by ticks detected |
owasp-crs-v030001-id942421-sqli |
4 |
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (3) |
owasp-crs-v030001-id942432-sqli |
4 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (2) |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| SQLi sensitivity level 1 |
evaluatePreconfiguredExpr('sqli-v33-stable',
['owasp-crs-v030301-id942110-sqli',
'owasp-crs-v030301-id942120-sqli',
'owasp-crs-v030301-id942130-sqli',
'owasp-crs-v030301-id942150-sqli',
'owasp-crs-v030301-id942180-sqli',
'owasp-crs-v030301-id942200-sqli',
'owasp-crs-v030301-id942210-sqli',
'owasp-crs-v030301-id942260-sqli',
'owasp-crs-v030301-id942300-sqli',
'owasp-crs-v030301-id942310-sqli',
'owasp-crs-v030301-id942330-sqli',
'owasp-crs-v030301-id942340-sqli',
'owasp-crs-v030301-id942361-sqli',
'owasp-crs-v030301-id942370-sqli',
'owasp-crs-v030301-id942380-sqli',
'owasp-crs-v030301-id942390-sqli',
'owasp-crs-v030301-id942400-sqli',
'owasp-crs-v030301-id942410-sqli',
'owasp-crs-v030301-id942470-sqli',
'owasp-crs-v030301-id942480-sqli',
'owasp-crs-v030301-id942430-sqli',
'owasp-crs-v030301-id942440-sqli',
'owasp-crs-v030301-id942450-sqli',
'owasp-crs-v030301-id942510-sqli',
'owasp-crs-v030301-id942251-sqli',
'owasp-crs-v030301-id942490-sqli',
'owasp-crs-v030301-id942420-sqli',
'owasp-crs-v030301-id942431-sqli',
'owasp-crs-v030301-id942460-sqli',
'owasp-crs-v030301-id942101-sqli',
'owasp-crs-v030301-id942511-sqli',
'owasp-crs-v030301-id942421-sqli',
'owasp-crs-v030301-id942432-sqli']
)
|
| SQLi sensitivity level 2 |
evaluatePreconfiguredExpr('sqli-v33-stable',
['owasp-crs-v030301-id942251-sqli',
'owasp-crs-v030301-id942490-sqli',
'owasp-crs-v030301-id942420-sqli',
'owasp-crs-v030301-id942431-sqli',
'owasp-crs-v030301-id942460-sqli',
'owasp-crs-v030301-id942101-sqli',
'owasp-crs-v030301-id942511-sqli',
'owasp-crs-v030301-id942421-sqli',
'owasp-crs-v030301-id942432-sqli']
)
|
| SQLi sensitivity level 3 |
evaluatePreconfiguredExpr('sqli-v33-stable',
['owasp-crs-v030301-id942421-sqli',
'owasp-crs-v030301-id942432-sqli']
)
|
| SQLi sensitivity level 4 |
evaluatePreconfiguredExpr('sqli-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3}) |
| 4 |
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 3}) |
| 4 |
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 4}) |
Cross-site scripting (XSS)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the XSS preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id941100-xss |
1 |
XSS Attack Detected via libinjection |
owasp-crs-v030301-id941110-xss |
1 |
XSS Filter - Category 1: Script Tag Vector |
owasp-crs-v030301-id941120-xss |
1 |
XSS Filter - Category 2: Event Handler Vector |
owasp-crs-v030301-id941130-xss |
1 |
XSS Filter - Category 3: Attribute Vector |
owasp-crs-v030301-id941140-xss |
1 |
XSS Filter - Category 4: JavaScript URI Vector |
owasp-crs-v030301-id941160-xss |
1 |
NoScript XSS InjectionChecker: HTML Injection |
owasp-crs-v030301-id941170-xss |
1 |
NoScript XSS InjectionChecker: Attribute Injection |
owasp-crs-v030301-id941180-xss |
1 |
Node-Validator Blacklist Keywords |
owasp-crs-v030301-id941190-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941200-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941210-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941220-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941230-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941240-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941250-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941260-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941270-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941280-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941290-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941300-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941310-xss |
1 |
US-ASCII Malformed Encoding XSS Filter - Attack Detected |
owasp-crs-v030301-id941350-xss |
1 |
UTF-7 Encoding IE XSS - Attack Detected |
owasp-crs-v030301-id941360-xss |
1 |
Hieroglyphy obfuscation detected |
owasp-crs-v030301-id941370-xss |
1 |
JavaScript global variable found |
owasp-crs-v030301-id941101-xss |
2 |
XSS Attack Detected via libinjection |
owasp-crs-v030301-id941150-xss |
2 |
XSS Filter - Category 5: Disallowed HTML Attributes |
owasp-crs-v030301-id941320-xss |
2 |
Possible XSS Attack Detected - HTML Tag Handler |
owasp-crs-v030301-id941330-xss |
2 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941340-xss |
2 |
IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941380-xss |
2 |
AngularJS client side template injection detected |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
Not included |
1 |
XSS Attack Detected via libinjection |
owasp-crs-v030001-id941110-xss |
1 |
XSS Filter - Category 1: Script Tag Vector |
owasp-crs-v030001-id941120-xss |
1 |
XSS Filter - Category 2: Event Handler Vector |
owasp-crs-v030001-id941130-xss |
1 |
XSS Filter - Category 3: Attribute Vector |
owasp-crs-v030001-id941140-xss |
1 |
XSS Filter - Category 4: JavaScript URI Vector |
owasp-crs-v030001-id941160-xss |
1 |
NoScript XSS InjectionChecker: HTML Injection |
owasp-crs-v030001-id941170-xss |
1 |
NoScript XSS InjectionChecker: Attribute Injection |
owasp-crs-v030001-id941180-xss |
1 |
Node-Validator Blacklist Keywords |
owasp-crs-v030001-id941190-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941200-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941210-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941220-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941230-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941240-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941250-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941260-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941270-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941280-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941290-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941300-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941310-xss |
1 |
US-ASCII Malformed Encoding XSS Filter - Attack Detected |
owasp-crs-v030001-id941350-xss |
1 |
UTF-7 Encoding IE XSS - Attack Detected |
Not included |
1 |
JSFuck / Hieroglyphy obfuscation detected |
Not included |
1 |
JavaScript global variable found |
Not included |
2 |
XSS Attack Detected via libinjection |
owasp-crs-v030001-id941150-xss |
2 |
XSS Filter - Category 5: Disallowed HTML Attributes |
owasp-crs-v030001-id941320-xss |
2 |
Possible XSS Attack Detected - HTML Tag Handler |
owasp-crs-v030001-id941330-xss |
2 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941340-xss |
2 |
IE XSS Filters - Attack Detected |
Not included |
2 |
AngularJS client side template injection detected |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| XSS sensitivity level 1 |
evaluatePreconfiguredExpr('xss-v33-stable',
['owasp-crs-v030301-id941101-xss',
'owasp-crs-v030301-id941150-xss',
'owasp-crs-v030301-id941320-xss',
'owasp-crs-v030301-id941330-xss',
'owasp-crs-v030301-id941340-xss',
'owasp-crs-v030301-id941380-xss'
])
|
All signatures for XSS are below sensitivity level 2. The following
configuration works for other sensitivity levels:
| XSS sensitivity level 2 |
evaluatePreconfiguredExpr('xss-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('xss-stable', {'sensitivity': 1}) |
Local file inclusion (LFI)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the LFI preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id930100-lfi |
1 |
Path Traversal Attack (/../) |
owasp-crs-v030301-id930110-lfi |
1 |
Path Traversal Attack (/../) |
owasp-crs-v030301-id930120-lfi |
1 |
OS File Access Attempt |
owasp-crs-v030301-id930130-lfi |
1 |
Restricted File Access Attempt |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id930100-lfi |
1 |
Path Traversal Attack (/../) |
owasp-crs-v030001-id930110-lfi |
1 |
Path Traversal Attack (/../) |
owasp-crs-v030001-id930120-lfi |
1 |
OS File Access Attempt |
owasp-crs-v030001-id930130-lfi |
1 |
Restricted File Access Attempt |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for LFI are at sensitivity level 1. The following
configuration works for all sensitivity levels:
| LFI sensitivity level 1 |
evaluatePreconfiguredExpr('lfi-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for LFI are at sensitivity level 1. The following configuration
works for all sensitivity levels:
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('lfi-stable', {'sensitivity': 1}) |
Remote code execution (RCE)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the RCE preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id932100-rce |
1 |
UNIX Command Injection |
owasp-crs-v030301-id932105-rce |
1 |
UNIX Command Injection |
owasp-crs-v030301-id932110-rce |
1 |
Windows Command Injection |
owasp-crs-v030301-id932115-rce |
1 |
Windows Command Injection |
owasp-crs-v030301-id932120-rce |
1 |
Windows PowerShell Command Found |
owasp-crs-v030301-id932130-rce |
1 |
Unix Shell Expression Found |
owasp-crs-v030301-id932140-rce |
1 |
Windows FOR/IF Command Found |
owasp-crs-v030301-id932150-rce |
1 |
Direct UNIX Command Execution |
owasp-crs-v030301-id932160-rce |
1 |
UNIX Shell Code Found |
owasp-crs-v030301-id932170-rce |
1 |
Shellshock (CVE-2014-6271) |
owasp-crs-v030301-id932171-rce |
1 |
Shellshock (CVE-2014-6271) |
owasp-crs-v030301-id932180-rce |
1 |
Restricted File Upload Attempt |
owasp-crs-v030301-id932200-rce |
2 |
RCE Bypass Technique |
owasp-crs-v030301-id932106-rce |
3 |
Remote Command Execution: Unix Command Injection |
owasp-crs-v030301-id932190-rce |
3 |
Remote Command Execution: Wildcard bypass technique attempt |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id932100-rce |
1 |
UNIX Command Injection |
owasp-crs-v030001-id932105-rce |
1 |
UNIX Command Injection |
owasp-crs-v030001-id932110-rce |
1 |
Windows Command Injection |
owasp-crs-v030001-id932115-rce |
1 |
Windows Command Injection |
owasp-crs-v030001-id932120-rce |
1 |
Windows PowerShell Command Found |
owasp-crs-v030001-id932130-rce |
1 |
Unix Shell Expression Found |
owasp-crs-v030001-id932140-rce |
1 |
Windows FOR/IF Command Found |
owasp-crs-v030001-id932150-rce |
1 |
Direct UNIX Command Execution |
owasp-crs-v030001-id932160-rce |
1 |
UNIX Shell Code Found |
owasp-crs-v030001-id932170-rce |
1 |
Shellshock (CVE-2014-6271) |
owasp-crs-v030001-id932171-rce |
1 |
Shellshock (CVE-2014-6271) |
Not included |
1 |
Restricted File Upload Attempt |
Not included |
2 |
RCE Bypass Technique |
Not included |
3 |
Remote Command Execution: Unix Command Injection |
Not included |
3 |
Remote Command Execution: Wildcard bypass technique attempt |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. The following configuration works for all sensitivity levels:
| RCE sensitivity level 1 |
evaluatePreconfiguredExpr('rce-v33-stable',
['owasp-crs-v030301-id932200-rce',
'owasp-crs-v030301-id932106-rce',
'owasp-crs-v030301-id932190-rce'])
|
| RCE sensitivity level 2 |
evaluatePreconfiguredExpr('rce-v33-stable',
[ 'owasp-crs-v030301-id932106-rce',
'owasp-crs-v030301-id932190-rce'])
|
| RCE sensitivity level 3 |
evaluatePreconfiguredExpr('rce-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for RCE are at sensitivity level 1. The following configuration works
for all sensitivity levels:
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 3}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 3}) |
Remote file inclusion (RFI)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the RFI preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id931100-rfi |
1 |
URL Parameter using IP Address |
owasp-crs-v030301-id931110-rfi |
1 |
Common RFI Vulnerable Parameter Name used w/URL Payload |
owasp-crs-v030301-id931120-rfi |
1 |
URL Payload Used w/Trailing Question Mark Character (?) |
owasp-crs-v030301-id931130-rfi |
2 |
Off-Domain Reference/Link |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id931100-rfi |
1 |
URL Parameter using IP Address |
owasp-crs-v030001-id931110-rfi |
1 |
Common RFI Vulnerable Parameter Name used w/URL Payload |
owasp-crs-v030001-id931120-rfi |
1 |
URL Payload Used w/Trailing Question Mark Character (?) |
owasp-crs-v030001-id931130-rfi |
2 |
Off-Domain Reference/Link |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| RFI sensitivity level 1 |
evaluatePreconfiguredExpr('rfi-v33-stable', ['owasp-crs-v030301-id931130-rfi'])
|
All signatures for RFI are below sensitivity level 2. The following
configuration works for other sensitivity levels:
| RFI sensitivity level 2 |
evaluatePreconfiguredExpr('rfi-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 2}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 2}) |
Method enforcement
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the method enforcement preconfigured
rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id911100-methodenforcement |
1 |
Method is not allowed by policy |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id911100-methodenforcement |
1 |
Method is not allowed by policy |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for Method Enforcement are at sensitivity level 1. The
following configuration works for other sensitivity levels:
| Method Enforcement sensitivity level 1 |
evaluatePreconfiguredExpr('methodenforcement-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('methodenforcement-stable', {'sensitivity': 1}) |
Scanner detection
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the scanner detection preconfigured
rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id913100-scannerdetection |
1 |
Found User-Agent associated with security scanner |
owasp-crs-v030301-id913110-scannerdetection |
1 |
Found request header associated with security scanner |
owasp-crs-v030301-id913120-scannerdetection |
1 |
Found request filename/argument associated with security scanner |
owasp-crs-v030301-id913101-scannerdetection |
2 |
Found User-Agent associated with scripting/generic HTTP client |
owasp-crs-v030301-id913102-scannerdetection |
2 |
Found User-Agent associated with web crawler/bot |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id913100-scannerdetection |
1 |
Found User-Agent associated with security scanner |
owasp-crs-v030001-id913110-scannerdetection |
1 |
Found request header associated with security scanner |
owasp-crs-v030001-id913120-scannerdetection |
1 |
Found request filename/argument associated with security scanner |
owasp-crs-v030001-id913101-scannerdetection |
2 |
Found User-Agent associated with scripting/generic HTTP client |
owasp-crs-v030001-id913102-scannerdetection |
2 |
Found User-Agent associated with web crawler/bot |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| Scanner Detection sensitivity level 1 |
evaluatePreconfiguredExpr('scannerdetection-v33-stable',
['owasp-crs-v030301-id913101-scannerdetection',
'owasp-crs-v030301-id913102-scannerdetection']
)
|
| Scanner Detection sensitivity level 2 |
evaluatePreconfiguredExpr('scannerdetection-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 2}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 2}) |
Protocol attack
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the protocol attack preconfigured
rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
Not included |
1 |
HTTP Request Smuggling Attack |
owasp-crs-v030301-id921110-protocolattack |
1 |
HTTP Request Smuggling Attack |
owasp-crs-v030301-id921120-protocolattack |
1 |
HTTP Response Splitting Attack |
owasp-crs-v030301-id921130-protocolattack |
1 |
HTTP Response Splitting Attack |
owasp-crs-v030301-id921140-protocolattack |
1 |
HTTP Header Injection Attack via headers |
owasp-crs-v030301-id921150-protocolattack |
1 |
HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030301-id921160-protocolattack |
1 |
HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
owasp-crs-v030301-id921190-protocolattack |
1 |
HTTP Splitting (CR/LF in request filename detected) |
owasp-crs-v030301-id921200-protocolattack |
1 |
LDAP Injection Attack |
owasp-crs-v030301-id921151-protocolattack |
2 |
HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030301-id921170-protocolattack |
3 |
HTTP Parameter Pollution |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id921100-protocolattack |
1 |
HTTP Request Smuggling Attack |
owasp-crs-v030001-id921110-protocolattack |
1 |
HTTP Request Smuggling Attack |
owasp-crs-v030001-id921120-protocolattack |
1 |
HTTP Response Splitting Attack |
owasp-crs-v030001-id921130-protocolattack |
1 |
HTTP Response Splitting Attack |
owasp-crs-v030001-id921140-protocolattack |
1 |
HTTP Header Injection Attack via headers |
owasp-crs-v030001-id921150-protocolattack |
1 |
HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030001-id921160-protocolattack |
1 |
HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
Not included |
1 |
HTTP Splitting (CR/LF in request filename detected) |
Not included |
1 |
LDAP Injection Attack |
owasp-crs-v030001-id921151-protocolattack |
2 |
HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030001-id921170-protocolattack |
3 |
HTTP Parameter Pollution |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| Protocol Attack sensitivity level 1 |
evaluatePreconfiguredExpr('protocolattack-v33-stable',
['owasp-crs-v030301-id921151-protocolattack',
'owasp-crs-v030301-id921170-protocolattack']
)
|
| Protocol Attack sensitivity level 2 |
evaluatePreconfiguredExpr('protocolattack-v33-stable',
['owasp-crs-v030301-id921170-protocolattack']
)
|
| Protocol Attack sensitivity level 3 |
evaluatePreconfiguredExpr('protocolattack-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 3}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 3}) |
PHP
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the PHP preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id933100-php |
1 |
PHP Injection Attack: PHP Open Tag Found |
owasp-crs-v030301-id933110-php |
1 |
PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030301-id933120-php |
1 |
PHP Injection Attack: Configuration Directive Found |
owasp-crs-v030301-id933130-php |
1 |
PHP Injection Attack: Variables Found |
owasp-crs-v030301-id933140-php |
1 |
PHP Injection Attack: I/O Stream Found |
owasp-crs-v030301-id933200-php |
1 |
PHP Injection Attack: Wrapper scheme detected |
owasp-crs-v030301-id933150-php |
1 |
PHP Injection Attack: High-Risk PHP Function Name Found |
owasp-crs-v030301-id933160-php |
1 |
PHP Injection Attack: High-Risk PHP Function Call Found |
owasp-crs-v030301-id933170-php |
1 |
PHP Injection Attack: Serialized Object Injection |
owasp-crs-v030301-id933180-php |
1 |
PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030301-id933210-php |
1 |
PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030301-id933151-php |
2 |
PHP Injection Attack: Medium-Risk PHP Function Name Found |
owasp-crs-v030301-id933131-php |
3 |
PHP Injection Attack: Variables Found |
owasp-crs-v030301-id933161-php |
3 |
PHP Injection Attack: Low-Value PHP Function Call Found |
owasp-crs-v030301-id933111-php |
3 |
PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030301-id933190-php |
3 |
PHP Injection Attack: PHP Closing Tag Found |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id933100-php |
1 |
PHP Injection Attack: PHP Open Tag Found |
owasp-crs-v030001-id933110-php |
1 |
PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030001-id933120-php |
1 |
PHP Injection Attack: Configuration Directive Found |
owasp-crs-v030001-id933130-php |
1 |
PHP Injection Attack: Variables Found |
owasp-crs-v030001-id933140-php |
1 |
PHP Injection Attack: I/O Stream Found |
Not included |
1 |
PHP Injection Attack: Wrapper scheme detected |
owasp-crs-v030001-id933150-php |
1 |
PHP Injection Attack: High-Risk PHP Function Name Found |
owasp-crs-v030001-id933160-php |
1 |
PHP Injection Attack: High-Risk PHP Function Call Found |
owasp-crs-v030001-id933170-php |
1 |
PHP Injection Attack: Serialized Object Injection |
owasp-crs-v030001-id933180-php |
1 |
PHP Injection Attack: Variable Function Call Found |
Not included |
1 |
PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030001-id933151-php |
2 |
PHP Injection Attack: Medium-Risk PHP Function Name Found |
owasp-crs-v030001-id933131-php |
3 |
PHP Injection Attack: Variables Found |
owasp-crs-v030001-id933161-php |
3 |
PHP Injection Attack: Low-Value PHP Function Call Found |
owasp-crs-v030001-id933111-php |
3 |
PHP Injection Attack: PHP Script File Upload Found |
Not included |
3 |
PHP Injection Attack: PHP Closing Tag Found |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| PHP Injection Attack sensitivity level 1 |
evaluatePreconfiguredExpr('php-v33-stable',
['owasp-crs-v030301-id933151-php',
'owasp-crs-v030301-id933131-php',
'owasp-crs-v030301-id933161-php',
'owasp-crs-v030301-id933111-php',
'owasp-crs-v030301-id933190-php']
)
|
| PHP Injection Attack sensitivity level 2 |
evaluatePreconfiguredExpr('php-v33-stable',
['owasp-crs-v0303001-id933131-php',
'owasp-crs-v0303001-id933161-php',
'owasp-crs-v0303001-id933111-php',
'owasp-crs-v030301-id933190-php'])
|
| PHP Injection Attack sensitivity level 3 |
evaluatePreconfiguredExpr('php-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 3}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('php-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('php-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('php-stable', {'sensitivity': 3}) |
Session fixation
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the session fixation preconfigured
rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id943100-sessionfixation |
1 |
Possible Session Fixation Attack: Setting Cookie Values in HTML |
owasp-crs-v030301-id943110-sessionfixation |
1 |
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
owasp-crs-v030301-id943120-sessionfixation |
1 |
Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id943100-sessionfixation |
1 |
Possible Session Fixation Attack: Setting Cookie Values in HTML |
owasp-crs-v030001-id943110-sessionfixation |
1 |
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
owasp-crs-v030001-id943120-sessionfixation |
1 |
Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for session fixation are at sensitivity level 1. The following
configuration works for all sensitivity levels:
| Session Fixation sensitivity level 1 |
evaluatePreconfiguredExpr('sessionfixation-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for session fixation are at sensitivity level 1. The following
configuration works for all sensitivity levels:
CRS 3.3
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1}) |
CRS 3.0
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('sessionfixation-stable', {'sensitivity': 1}) |
Java attack
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the Java attack preconfigured
rule.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id944100-java |
1 |
Remote Command Execution: Suspicious Java class detected |
owasp-crs-v030301-id944110-java |
1 |
Remote Command Execution: Java process spawn (CVE-2017-9805) |
owasp-crs-v030301-id944120-java |
1 |
Remote Command Execution: Java serialization (CVE-2015-4852) |
owasp-crs-v030301-id944130-java |
1 |
Suspicious Java class detected |
owasp-crs-v030301-id944200-java |
2 |
Magic bytes detected, probable Java serialization in use |
owasp-crs-v030301-id944210-java |
2 |
Magic bytes detected Base64 encoded, probable Java serialization in use |
owasp-crs-v030301-id944240-java |
2 |
Remote Command Execution: Java serialization (CVE-2015-4852) |
owasp-crs-v030301-id944250-java |
2 |
Remote Command Execution: Suspicious Java method detected |
owasp-crs-v030301-id944300-java |
3 |
Base64 encoded string matched suspicious keyword |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
Not included |
1 |
Remote Command Execution: Suspicious Java class detected |
Not included |
1 |
Remote Command Execution: Java process spawn (CVE-2017-9805) |
Not included |
1 |
Remote Command Execution: Java serialization (CVE-2015-4852) |
Not included |
1 |
Suspicious Java class detected |
Not included |
2 |
Magic bytes detected, probable Java serialization in use |
Not included |
2 |
Magic bytes detected Base64 encoded, probable Java serialization in use |
Not included |
2 |
Remote Command Execution: Java serialization (CVE-2015-4852) |
Not included |
2 |
Remote Command Execution: Suspicious Java method detected |
Not included |
3 |
Base64 encoded string matched suspicious keyword |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| Java attack sensitivity level 1 |
evaluatePreconfiguredExpr('java-v33-stable',
['owasp-crs-v030301-id944200-java',
'owasp-crs-v030301-id944210-java',
'owasp-crs-v030301-id944240-java',
'owasp-crs-v030301-id944250-java',
'owasp-crs-v030301-id944300-java'])
|
| Java attack sensitivity level 2 |
evaluatePreconfiguredExpr('java-v33-stable',
['owasp-crs-v030301-id944300-java'])
|
| Java attack sensitivity level 3 |
evaluatePreconfiguredExpr('java-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3}) |
NodeJS attack
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the NodeJS attack preconfigured
rule.
The following preconfigured WAF rule signatures are only included in CRS
3.3.
CRS 3.3
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030301-id934100-nodejs |
1 |
Node.js Injection Attack |
CRS 3.0
| Signature ID (Rule ID) |
Sensitivity level |
Description |
Not included |
1 |
Node.js Injection Attack |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for NodeJS attack are at sensitivity level 1. The
following configuration works for other sensitivity levels:
| NodeJS sensitivity level 1 |
evaluatePreconfiguredExpr('nodejs-v33-stable')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for NodeJS attack are at sensitivity level 1. The following
configuration works for other sensitivity levels:
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('nodejs-v33-stable', {'sensitivity': 1}) |
CVEs and other vulnerabilities
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the CVE Log4j RCE vulnerability
preconfigured rule.
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id044228-cve |
1 |
Base rule to help detect exploit attempts of CVE-2021-44228
& CVE-2021-45046 |
owasp-crs-v030001-id144228-cve |
1 |
Google-provided enhancements to cover more bypass and obfuscation attempts |
owasp-crs-v030001-id244228-cve |
3 |
Increased sensitivity of detection to target even more bypass and
obfuscation attempts, with nominal increase in risk of false positive detection |
owasp-crs-v030001-id344228-cve |
3 |
Increased sensitivity of detection to target even more bypass and
obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
| CVE sensitivity level 1 |
evaluatePreconfiguredExpr('cve-canary', ['owasp-crs-v030001-id244228-cve',
'owasp-crs-v030001-id344228-cve'])
|
| CVE sensitivity level 3 |
evaluatePreconfiguredExpr('cve-canary')
|
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
| Sensitivity level |
Expression |
| 1 |
evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 1}) |
| 2 |
evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 2}) |
| 3 |
evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 3}) |
JSON-formatted content SQLi vulnerability
The following table provides the signature ID, sensitivity level, and
description of the supported signature
942550-sqli,
which covers the vulnerability in which malicious attackers can
bypass WAF by appending JSON syntax to SQL injection payloads.
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-id942550-sqli |
2 |
Detects all JSON-based SQLi vectors, including SQLi signatures
found in the URL |
Use the following expression to deploy the signature:
evaluatePreconfiguredWaf('json-sqli-canary', {'sensitivity':0, 'opt_in_rule_ids': ['owasp-crs-id942550-sqli']})
We recommend that you also enable sqli-v33-stable
at sensitivity level 2 to fully address JSON-based
SQL injection bypasses.
Limitations
Google Cloud Armor preconfigured WAF rules have the following limitations:
- Among the HTTP request types with a request body, Google Cloud Armor
processes only
POST requests. Google Cloud Armor evaluates preconfigured
rules against the first 8 KB of POST body content. For more information, see
POST body inspection limitation.
- Google Cloud Armor can parse and apply preconfigured WAF rules when JSON
parsing is enabled with a matching
Content-Type header value. For more
information, see
JSON parsing.
What's next
