{"filters":{"filter":[{"id":"1","rule":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")","description":"finds html breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"2","rule":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])","description":"finds attribute breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style|poster|background)=[$\"\\w])","description":"finds malicious attribute injection attempts","tags":{"tag":["xss","csrf"]},"impact":"6"},{"id":"3","rule":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)","description":"finds unquoted attribute breaking injections","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"4","rule":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:>]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])","description":"Detects url-, name-, JSON, and referrer-contained payload attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"5","rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)","description":"Detects hash-contained xss payload attacks, setter usage and property overloading","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"6","rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)","description":"Detects self contained xss via with(), common loops and regex to string conversion","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"7","rule":"(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)","description":"Detects JavaScript with(), ternary operators and XML predicate attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"8","rule":"(?:\\\/\\w*\\s*\\)\\s*\\()|(?:\\(.*\\\/.+\\\/\\w*\\s*\\))|(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)","description":"Detects self-executing JavaScript functions","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"9","rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})","description":"Detects the IE octal, hex and unicode entities","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"10","rule":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})","description":"Detects basic directory traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"11","rule":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)","description":"Detects specific directory and path traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"12","rule":"(?:etc\\\/\\W*passwd)","description":"Detects etc\/passwd inclusion attempts","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"13","rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)","description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts","tags":{"tag":["xss","csrf"]},"impact":"3"},{"id":"14","rule":"(?:#@~\\^\\w+)|(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))","description":"Detects possible includes, VBSCript\/JScript encodeed and packed functions","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"15","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@>\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))","description":"Detects JavaScript DOM\/miscellaneous properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"6"},{"id":"16","rule":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<![a-mo-z]>])(\\s*return\\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))","description":"Detects possible includes and typical script methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"17","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%.+\\-]))","description":"Detects JavaScript object properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"18","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript array properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"19","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript string properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"20","rule":"(?:\\)\\s*\\[)|(?:\\\/\\w*\\s*\\)\\s*\\W)|([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\".+\\-]))","description":"Detects JavaScript language constructs","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"21","rule":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z\\\/_@]>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)","description":"Detects obfuscated script tags and XML wrapped HTML","tags":{"tag":"xss"},"impact":"4"},{"id":"34","rule":"(?:\\<\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])","description":"Detects attributes in closing tags and conditional compilation tokens","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"35","rule":"(?:--[^\\n]*$)|(?:\\<!-|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[\\W)|(?:\\]!>)","description":"Detects common comment types","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"id":"37","rule":"(?:\\<base\\s+)|(?:<!(?:element|entity|\\[CDATA))","description":"Detects base href injections and XML entity injections","tags":{"tag":["xss","csrf","id"]},"impact":"5"},{"id":"38","rule":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"4"},{"id":"39","rule":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])","description":"Detects nullbytes and other dangerous characters","tags":{"tag":["id","rfe","xss"]},"impact":"5"},{"id":"40","rule":"(?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()","description":"Detects MySQL comments, conditions and ch(a)r injections","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"41","rule":"(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])","description":"Detects conditional SQL injection attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"42","rule":"(?:\"\\s*or\\s*\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)","description":"Detects classic SQL injection probings 1\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"43","rule":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[^\\w\\s]+\"[^,])","description":"Detects classic SQL injection probings 2\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"44","rule":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\")","description":"Detects basic SQL authentication bypass attempts 1\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"45","rule":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,-]+from)","description":"Detects basic SQL authentication bypass attempts 2\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"46","rule":"(?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")","description":"Detects basic SQL authentication bypass attempts 3\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"47","rule":"(?:[\\d\\W]\\s+as\\s*[\"\\w]+\\s*from)|(?:^[\\W\\d]+\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)|(?:[\\s(]load_file\\s*\\()","description":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"5"},{"id":"48","rule":"(?:\\d+\\s*or\\s*\\d+\\s*[\\-+])|(?:\\\/\\w+;?\\s+(?:having|and|or|select))|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[\"=()])","description":"Detects chained SQL injection attempts 1\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"49","rule":"(?:\"\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()|(?:[\\s(]+case\\d*\\W.+[tw]hen[\\s(])","description":"Detects chained SQL injection attempts 2\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"50","rule":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*\\(?\\s*\\w+)","description":"Detects SQL benchmark and sleep injection attempts including conditional queries","tags":{"tag":["sqli","id"]},"impact":"4"},{"id":"51","rule":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})","description":"Detects MySQL UDF injection and other data\/structure manipulation attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"52","rule":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)","description":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"53","rule":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)","description":"Detects MySQL and PostgreSQL stored procedure\/function injections","tags":{"tag":["sqli","id"]},"impact":"7"},{"id":"54","rule":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))","description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"55","rule":"(?:\\sexec\\s+xp_cmdshell)|(?:\"\\s*!\\s*[\"\\w])|(?:from\\s+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")","description":"Detects MSSQL code execution and information gathering attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"56","rule":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s*having\\s*[^\\s])|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()","description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"57","rule":"(?:select\\s*\\*\\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()","description":"Detects MySQL comment-\/space-obfuscated injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"58","rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()","description":"Detects code injection attempts 1\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"59","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])","description":"Detects code injection attempts 2\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"60","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)","description":"Detects code injection attempts 3\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"61","rule":"(?:\\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)","description":"Detects url injections and RFE attempts","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"62","rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)\\W+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)","description":"Detects common function declarations and special JS operators","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"63","rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)","description":"Detects common mail header injections","tags":{"tag":["id","spam"]},"impact":"5"},{"id":"64","rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)","description":"Detects perl echo shellcode injection and LDAP vectors","tags":{"tag":["lfi","rfe"]},"impact":"5"},{"id":"65","rule":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})","description":"Detects basic XSS DoS attempts","tags":{"tag":["rfe","dos"]},"impact":"5"},{"id":"67","rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])","description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"7"},{"id":"68","rule":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*>))","description":"finds attribute breaking injections including obfuscated attributes","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))","description":"finds basic VBScript injection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"70","rule":"(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\\])","description":"finds basic MongoDB SQL injection attempts","tags":{"tag":"sqli"},"impact":"4"}]}}