Create hpp.json

2025-12-23 22:27:46 -05:00 · 2025-01-13 12:56:48 +01:00
parent 8faa80ebef
commit be1e0def7f
1 changed files with 42 additions and 0 deletions
--- a/rules/hpp.json
+++ b/rules/hpp.json
@@ -0,0 +1,42 @@
+[
+    {
+         "id": "hpp-duplicate-parameters",
+        "phase": 2,
+         "pattern":"(?i)(?:\\w+=\\w*&\\w+=\\w*){2,}",
+        "targets": ["URI","ARGS"],
+        "severity": "MEDIUM",
+         "action": "log",
+        "score": 4,
+         "description": "Log multiple occurences of the same parameter."
+    },
+     {
+        "id": "hpp-array-syntax",
+         "phase": 2,
+         "pattern":"(?i)(?:\\w+\\[\\w*\\]=\\w*&){2,}",
+        "targets": ["URI", "ARGS"],
+        "severity": "MEDIUM",
+         "action": "log",
+        "score": 3,
+         "description": "Log multiple parameters with array like syntax which might indicate HPP"
+      },
+    {
+         "id": "hpp-parameter-combining",
+        "phase": 2,
+         "pattern":"(?i)(?:(\\w+)=.*?&\\1=)",
+        "targets":["URI","ARGS"],
+        "severity": "MEDIUM",
+         "action":"log",
+        "score": 4,
+         "description":"Log same parameters with different values which might indicate HPP"
+     },
+     {
+       "id":"hpp-encoded-parameters",
+       "phase":2,
+        "pattern":"(?i)(?:(%[a-f0-9]{2,})+=[^&]*?&){2,}",
+        "targets":["URI", "ARGS"],
+       "severity":"MEDIUM",
+        "action":"log",
+        "score": 4,
+       "description":"Log multiple encoded parameter which might indicate HPP"
+     }
+]