mirror of
https://github.com/fabriziosalmi/caddy-waf.git
synced 2025-12-23 14:17:45 -05:00
533020d5e6
- Increased anomaly threshold to reduce false positives. - Added new rules for browser integrity checks and logging. - Improved SQL injection and XSS rules to prevent false positives. - Introduced a new rules file for browser-friendly traffic handling.
418 lines
18 KiB
JSON
418 lines
18 KiB
JSON
[
|
|
{
|
|
"id": "allow-legit-browsers",
|
|
"phase": 1,
|
|
"pattern": "(?i)(caddy-waf-ui|Mozilla|Chrome|Safari|Edge|Firefox|Opera|AppleWebKit|Gecko|Trident|MSIE|Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|Sogou|Exabot|facebot|facebookexternalhit|Twitterbot|Slackbot|LinkedInBot|TelegramBot)",
|
|
"targets": [
|
|
"HEADERS:User-Agent"
|
|
],
|
|
"severity": "LOW",
|
|
"action": "log",
|
|
"score": 1,
|
|
"description": "Allow and log traffic from legitimate browsers, search engine crawlers, and social media bots."
|
|
},
|
|
{
|
|
"id": "auth-login-form-missing",
|
|
"phase": 2,
|
|
"pattern": "^$",
|
|
"targets": [
|
|
"BODY"
|
|
],
|
|
"severity": "LOW",
|
|
"action": "log",
|
|
"score": 3,
|
|
"description": "Log login requests that do not contain login form fields"
|
|
},
|
|
{
|
|
"id": "block-scanners",
|
|
"phase": 1,
|
|
"pattern": "(?i)(nikto|sqlmap|nmap|acunetix|nessus|openvas|wpscan|dirbuster|burpsuite|owasp zap|netsparker|appscan|arachni|skipfish|gobuster|wfuzz|hydra|metasploit|nessus|openvas|qualys|zap|w3af|openwebspider|netsparker|appspider|rapid7|nessus|qualys|nuclei|zgrab|vega|gospider|gxspider|whatweb|xspider|joomscan|uniscan|blindelephant)",
|
|
"targets": [
|
|
"HEADERS:User-Agent"
|
|
],
|
|
"severity": "CRITICAL",
|
|
"action": "block",
|
|
"score": 10,
|
|
"description": "Block traffic from known vulnerability scanners and penetration testing tools. Includes more scanners."
|
|
},
|
|
{
|
|
"id": "crlf-injection-headers",
|
|
"phase": 1,
|
|
"pattern": "(?i)(%0d|\\r)%0a|%0a(%0d|$)|\\n|%0d%0a|%0a%0d|\\r\\n",
|
|
"targets": [
|
|
"HEADERS"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "log",
|
|
"score": 5,
|
|
"description": "Log requests with potential CRLF injection characters in headers. Improved pattern matching."
|
|
},
|
|
{
|
|
"id": "csrf-missing-token-post",
|
|
"phase": 2,
|
|
"pattern": "^$",
|
|
"targets": [
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "log",
|
|
"score": 6,
|
|
"description": "Log POST requests to write operation endpoints that are missing a CSRF token in the body (use this with a condition to ensure that a write operation was done)."
|
|
},
|
|
{
|
|
"id": "header-attacks-consolidated",
|
|
"phase": 1,
|
|
"pattern": "(?i)(?:1'\\s+OR\\s+'1'='1|<script[^>]*>|\\.\\.\\/\\.\\.\\/etc\\/passwd|1'\\s+UNION\\s+SELECT\\s+NULL--|\\b(?:select|insert|update|delete|drop|alter)\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:from|into|where|table)\\b|\\bunion\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?\\bselect\\b|'\\s*(?:and|or)\\s*\\d+\\s*(?:=|[<>!]+\\s*)\\d+|\\)\\s*(?:and|or)\\s*\\(\\d+\\s*(?:=|[<>!]+\\s*)\\d+\\)|\\b(?:sleep|benchmark|waitfor\\s+delay)\\s*\\()",
|
|
"targets": [
|
|
"HEADERS"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block SQL injection, XSS, and path traversal attempts in headers. Improved pattern matching."
|
|
},
|
|
{
|
|
"id": "http-request-smuggling",
|
|
"phase": 1,
|
|
"pattern": "(?i)(?:Transfer-Encoding.*?(?:chunked|identity)|Content-Length:\\s*0|(?:Content-Length:\\s*\\d+)(?:\\n.*){2,}|(?:Content-Length:\\s*\\d+)(?:\\n\\w+:\\s*.*?\\n+)|(?:TE:\\s*chunked)(?:\\n.*){2,}|(?:TE:\\s*identity)(?:\\n.*){2,})",
|
|
"targets": [
|
|
"HEADERS",
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Detects HTTP request smuggling patterns. Targets Transfer-Encoding and Content-Length headers."
|
|
},
|
|
{
|
|
"id": "idor-attacks",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:(?:\\b(?:id|user|account|profile|order|item|product|comment|post|blog|thread|task|note|group|file|image|report|json|api|rest|download|admin|dashboard|email|video)\\b(?:\\s*)[=:]\\s*(?:[\\-\\/]?\\d+|[\\w\\-\\.]+|[a-f0-9\\-]+))|\\b(?:[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})\\b|\\/\\d+(?:\\/|$)|\\/[a-f0-9]{32}|\\/[a-f0-9]{40})",
|
|
"targets": [
|
|
"URI",
|
|
"BODY",
|
|
"HEADERS",
|
|
"COOKIES"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "log",
|
|
"score": 7,
|
|
"description": "Detects Insecure Direct Object Reference (IDOR) attempts by identifying common ID patterns in URIs, body, headers and cookies."
|
|
},
|
|
{
|
|
"id": "insecure-deserialization-java",
|
|
"phase": 2,
|
|
"pattern": "(?:rO0AB|aced0005|\\xac\\xed\\x00\\x05)",
|
|
"targets": [
|
|
"BODY",
|
|
"HEADERS",
|
|
"COOKIES"
|
|
],
|
|
"severity": "CRITICAL",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block requests containing potential Java serialized objects, including magic bytes for serialized objects."
|
|
},
|
|
{
|
|
"id": "jwt-tampering",
|
|
"phase": 1,
|
|
"pattern": "^(eyJ[A-Za-z0-9_-]{0,}\\.eyJ[A-Za-z0-9_-]{0,}\\.[A-Za-z0-9_-]{0,})",
|
|
"targets": [
|
|
"HEADERS:Authorization",
|
|
"COOKIES"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 8,
|
|
"description": "Block potential JWT tampering attempts in Authorization headers or cookies."
|
|
},
|
|
{
|
|
"id": "nosql-injection-attacks",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:\\$(?:gt|gte|lt|lte|ne|eq|regex|where|or|and|in|nin|exists|type|jsonSchema|not|mod|elemMatch|all|size|nor|comment|slice|expr|meta|text|search|near|nearSphere|geoWithin|geoIntersects|geoNear)\\b|\\b(?:db|collection|aggregate|mapReduce|count|group|distinct|findOne|find|remove|update|insert)\\b)",
|
|
"targets": [
|
|
"BODY",
|
|
"HEADERS",
|
|
"COOKIES"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block NoSQL injection attempts in request body, headers, and cookies. Targets MongoDB operators and keywords."
|
|
},
|
|
{
|
|
"id": "open-redirect-attempt",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:https?://(?:[^/]+@)?[^/]+\\.[^/]+/|\\b(?:redirect|url|next|return|r|u)\\b\\s*=\\s*(?:https?://|//))",
|
|
"targets": [
|
|
"HEADERS",
|
|
"BODY"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "block",
|
|
"score": 6,
|
|
"description": "Block potential open redirect attempts in request body and headers."
|
|
},
|
|
{
|
|
"id": "path-traversal",
|
|
"phase": 1,
|
|
"pattern": "(?:\\.\\.[/\\\\]|\\.\\./|\\.\\.\\\\/|%2e%2e[/\\\\]|%2e%2e/|%2e%2e%5c|%252e%252e|\\b(?:etc(?:\\/|%2F)(?:passwd|shadow|hosts)|(?:proc|sys)(?:\\/|%2F)(?:self(?:\\/|%2F)environ|cmdline)|boot(?:\\/|%2F)grub(?:\\/|%2F)grub\\.cfg|\\/\\.\\.(?:\\/|%2F)|(?:\\/|%5c)(\\.\\.){2,}(?:\\/|%5c)|(?:\\.\\.){2,}(?:\\/|%5c)|(?:\\.\\.){2,}|(?:%2e%2e){2,}(?:%2f|%5c)|(?:%2e%2e%2f|%2e%2e%5c){2,}|(?:\\.\\.%2f|\\.\\.%5c){2,}|(?:%252e%252e%2f|%252e%252e%5c){2,}|%252e%252e|%252f%2e%2e|%255c%2e%2e|\\/\\.(?:\\/|%2F)|\\%2e(?:%2f|%5c))\\b)",
|
|
"targets": [
|
|
"URI",
|
|
"HEADERS"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block path traversal attempts and direct access to sensitive files (Target: URI and Headers). Improved and more aggressive pattern matching, including more obfuscation techniques."
|
|
},
|
|
{
|
|
"id": "rce-commands-expanded",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:\\b(?:cat|base64|whoami|echo|curl|wget|bash|sh|python|perl|ls|id|ping|nslookup|ipconfig|ifconfig|powershell)\\b)",
|
|
"targets": [
|
|
"ARGS",
|
|
"HEADERS"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 5,
|
|
"description": "Expanded rule to block more RCE related commands and utilities."
|
|
},
|
|
{
|
|
"id": "rfi-http-url",
|
|
"phase": 2,
|
|
"pattern": "(?i)https?:\\/\\/[^\\s]+",
|
|
"targets": [
|
|
"URI",
|
|
"ARGS",
|
|
"HEADERS"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 8,
|
|
"description": "Block direct use of HTTP or HTTPS URLs for inclusion."
|
|
},
|
|
{
|
|
"id": "sensitive-files",
|
|
"phase": 1,
|
|
"pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web\\.xml|\\/META-INF\\/|\\.git/\\s*(?:H\\.E\\.A\\.D|HEAD)|\\.dockerenv|server-status|\\b(?:config|database|credentials|secrets|private|local|development|staging|production|backup|default)\\b(?:[\\-_\\.]?)(?:[a-z0-9]+)?\\.(?:json|yaml|yml|ini|properties|txt|conf|toml|lock|log|bak|swp|orig|dist|sample|example|template|env|sql))",
|
|
"targets": [
|
|
"URI"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block access to sensitive files and directories (Target: URI). Expanded rule to include more config and backup file names."
|
|
},
|
|
{
|
|
"id": "sensitive-files-expanded",
|
|
"phase": 1,
|
|
"pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web.xml|\\/META-INF\\/|\\.git/\\s*(?:H\\.E\\.A\\.D|HEAD)|\\.dockerenv|server-status)",
|
|
"targets": [
|
|
"URI"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Expanded rule to block access to more sensitive files and account for obfuscation."
|
|
},
|
|
{
|
|
"id": "sql-injection",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:\\b(?:select|insert|update|delete|drop|alter|truncate|create|grant|revoke)\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:from|into|where|table|index|user|procedure|function|database)\\b|\\bunion\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:all|distinct)?(?:\\s|\\/\\*.*?\\*\\/|--.*?)?\\bselect\\b|'\\s*(?:and|or)\\s*['\\d]+\\s*(?:=|[<>]=?|!=)\\s*['\\d]+|\\)\\s*(?:and|or)\\s*\\([\\d]+\\s*(?:=|[<>]=?|!=)\\s*[\\d]+\\)|\\b(?:sleep|benchmark|waitfor\\s+delay)\\s*\\(|(?:\\bexec\\b|xp_cmdshell))",
|
|
"targets": [
|
|
"ARGS",
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 7,
|
|
"description": "Block SQL injection attempts in request arguments and body. Removed HEADERS target to avoid false positives."
|
|
},
|
|
{
|
|
"id": "sql-injection-improved-basic",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:'\\s*(?:and|or)\\s*\\d+\\s*[=<>!]+\\s*\\d+|['\"]\\s*\\d+\\s*[=<>!]+\\s*['\"]|'\\s*\\+\\s*'|--\\s*-|-{2,})",
|
|
"targets": [
|
|
"ARGS",
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 8,
|
|
"description": "Improved rule to catch basic SQL injection including quotes and boolean logic. Removed HEADERS and COOKIES targets and removed double quote pattern to prevent false positives."
|
|
},
|
|
{
|
|
"id": "ssrf-attacks",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:(?:https?|ftp|gopher|dict|ldap|tftp|file)://(?:[^/]+@)?(?:(?:127\\.0\\.0\\.\\d{1,3}|10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4})|localhost|0\\.0\\.0\\.0|::1|\\d{1,10})|[^/]+\\.(?:internal|local|intranet|test))(?:\\:\\d{1,5})?(?:/[^\\s]*)?|\\b(?:metadata|aws|digitalocean|google|azure)\\b|\\b(?:169\\.254\\.\\d{1,3}\\.\\d{1,3})\\b(?:/[^\\s]*)?)",
|
|
"targets": [
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block Server-Side Request Forgery (SSRF) attempts, including internal IP ranges and cloud metadata endpoints. Removed HEADERS and COOKIES targets to prevent false positives with browser cookies."
|
|
},
|
|
{
|
|
"id": "ssrf-internal-ip",
|
|
"phase": 2,
|
|
"pattern": "(?:127\\.0\\.0\\.1|10\\.|172\\.(?:1[6-9]|2\\d|3[01])\\.|192\\.168\\.)",
|
|
"targets": [
|
|
"URI",
|
|
"ARGS"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 7,
|
|
"description": "Block SSRF to Internal IPs."
|
|
},
|
|
{
|
|
"id": "ssrf-reserved-ip",
|
|
"phase": 2,
|
|
"pattern": "(?:0\\.|169\\.254\\.|224\\.|240\\.|255\\.)",
|
|
"targets": [
|
|
"URI",
|
|
"ARGS"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "block",
|
|
"score": 5,
|
|
"description": "Block SSRF to Reserved/Multicast IPs."
|
|
},
|
|
{
|
|
"id": "ssti-attacks",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:\\{\\{.*?\\}\\}|\\{\\%.*?\\%\\}|\\$\\{.*?\\}|\\#\\{.*?\\}|\\$\\(.*?\\)|\\{\\*.*?\\*\\}|\\#\\*.*?\\*\\#|<%[=]?.*?%>|@\\{.*?\\}|\\b(?:Runtime|Process|exec|System|getClass|ClassLoader|loadLibrary|forName|newInstance|getMethod|invoke|getConstructor|getDeclaredMethod|getDeclaredField|setAccessible|getDeclaredConstructor|getInputStream|getOutputStream|get|put|setAttribute|getProperty|setProperty|setSecurityManager|load|defineClass|new|clone|readObject|writeObject|call|apply|bind|super)\\b\\s*\\(|\\b(?:T|Math|Object|String|Boolean|Number|BigInteger|BigDecimal|Date|List|Map|Set|Queue|Array|Tuple|Pattern|Locale|Class|ClassLoader|Proxy|SecurityManager|Thread|ThreadGroup)\\b)",
|
|
"targets": [
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block Server-Side Template Injection (SSTI) attacks in request body. Removed HEADERS and COOKIES targets to prevent false positives."
|
|
},
|
|
{
|
|
"id": "unusual-paths",
|
|
"phase": 1,
|
|
"pattern": "(?i)(?:/wp-admin|/phpmyadmin|/admin|/login|/cgi-bin|/shell|/backdoor|/cmd|/exec|/bin/(?:sh|bash|zsh)|/console|/setup|/test|\\.php$|\\.asp$|\\.aspx$|\\.jsp$|\\.do$|\\.action$|\\.pl$|\\.py$|\\.cgi$|\\.cfm$|\\.rb$|\\.php[0-9]?$|\\.phtml$|\\.htaccess$|\\.htpasswd$|\\.ini$|\\.config$|\\.lock$|\\.log$|\\.bak$|\\.swp$|\\.orig$|\\.dist$|\\.sample$|\\.example$|\\.template$|\\.env$)",
|
|
"targets": [
|
|
"URI"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "block",
|
|
"score": 7,
|
|
"description": "Block requests to unusual or suspicious paths and common scripting extensions (Target: URI). Expanded rule for more file types and endpoints."
|
|
},
|
|
{
|
|
"id": "xss-attacks",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:<script[^>]*>|<img[^>]*\\s+onerror=|javascript:|data:|vbscript:|<svg[^>]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=|(?:&#[xX]?[0-9a-fA-F]+;)+|%[0-9a-fA-F]{2,}|\\biframe[^>]*srcdoc\\s*=)",
|
|
"targets": [
|
|
"BODY",
|
|
"ARGS"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 9,
|
|
"description": "Block XSS attempts using HTML tags, event handlers, javascript: protocol, encoded characters, iframe srcdoc, etc. Removed HEADERS and COOKIES targets and simplified pattern to prevent false positives."
|
|
},
|
|
{
|
|
"id": "xss-improved-encoding",
|
|
"phase": 2,
|
|
"pattern": "(?i)(?:<script[^>]*>|<img[^>]*\\s+onerror=|javascript:|data:|vbscript:|<svg[^>]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=|(?:&#[xX]?[0-9a-fA-F]+;)+|%[0-9a-fA-F]{2,}|\\biframe[^>]*srcdoc\\s*=)",
|
|
"targets": [
|
|
"ARGS",
|
|
"BODY"
|
|
],
|
|
"severity": "HIGH",
|
|
"action": "block",
|
|
"score": 8,
|
|
"description": "Improved XSS rule to catch encoded payloads and iframe srcdoc. Removed HEADERS target to prevent false positives."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-dest-missing-block",
|
|
"phase": 1,
|
|
"pattern": "^$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-Dest-Presence-Check"
|
|
],
|
|
"severity": "CRITICAL",
|
|
"action": "log",
|
|
"score": 5,
|
|
"description": "Changed to LOG: Requests missing Sec-Fetch-Dest header. Very strong indicator of non-browser traffic but can cause issues with normal browsers."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-mode-missing-log-score",
|
|
"phase": 1,
|
|
"pattern": "^$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-Mode-Presence-Check"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "log",
|
|
"score": 3,
|
|
"description": "LOG+SCORE: Requests missing Sec-Fetch-Mode header. Suspicious, might be non-browser. Moderate confidence, low to moderate false positive risk. Assigns score."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-site-missing-log-score",
|
|
"phase": 1,
|
|
"pattern": "^$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-Site-Presence-Check"
|
|
],
|
|
"severity": "LOW",
|
|
"action": "log",
|
|
"score": 1,
|
|
"description": "LOG+SCORE: Requests missing Sec-Fetch-Site header. Less critical but still worth monitoring. Lower confidence, slightly higher false positive risk. Assigns score."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-user-missing-log-score",
|
|
"phase": 1,
|
|
"pattern": "^$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-User-Presence-Check"
|
|
],
|
|
"severity": "LOW",
|
|
"action": "log",
|
|
"score": 1,
|
|
"description": "LOG+SCORE: Requests missing Sec-Fetch-User header. Might indicate non-user-initiated actions or bots. Lowest confidence, moderate to higher false positive risk. Assigns score, mainly for correlation."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-dest-not-document-ua-suspicious-log-score",
|
|
"phase": 1,
|
|
"pattern": "(?i)^(?:script|style|image|font|fetch|xhr|audio|video|manifest|object|embed|report|worker|sharedworker|serviceworker|empty|unknown)$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-Dest-Not"
|
|
],
|
|
"severity": "MEDIUM",
|
|
"action": "log",
|
|
"score": 3,
|
|
"description": "LOG+SCORE: Sec-Fetch-Dest not 'document' AND Suspicious User-Agent. More suspicious combination. Moderate confidence, reduced false positive risk by combining checks. Assigns score."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-mode-no-cors-document-log-score",
|
|
"phase": 1,
|
|
"pattern": "(?i)^(?:no-cors)$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-Mode"
|
|
],
|
|
"severity": "LOW",
|
|
"action": "log",
|
|
"score": 2,
|
|
"description": "LOG+SCORE: 'document' requests with Sec-Fetch-Mode: 'no-cors'. Less common for initial page loads. Lower confidence, low false positive risk. Assigns score."
|
|
},
|
|
{
|
|
"id": "browser-integrity-sec-fetch-site-cross-site-document-log-score",
|
|
"phase": 1,
|
|
"pattern": "(?i)^(?:cross-site)$",
|
|
"targets": [
|
|
"HEADERS:Sec-Fetch-Site"
|
|
],
|
|
"severity": "LOW",
|
|
"action": "log",
|
|
"score": 1,
|
|
"description": "LOG+SCORE: 'document' requests with Sec-Fetch-Site: 'cross-site'. Common for external links, primarily for monitoring cross-site traffic patterns. Lowest confidence, very low false positive risk. Assigns score for traffic analysis."
|
|
}
|
|
] |