coreruleset
coreruleset copied to clipboard
coreruleset
OWASP CRS (Official Repository)
BB finding HOH7M88Q: `email=admin%40juice-sh.op\'%20and(%20likelihood%20(id,.0));'` Comment: Do a review of SQlite functions, are there more?
BB finding IJ5N1CXB: email=admin%40juice-sh.op\'and%20unlikely%20(id)-- Comment: Block `'` + `unlikely()`
BB finding RKJU2TTV: Detect SQLi using `';` `[email protected]';` `{"email":"[email protected]';","password":"a"}` Comment: False positives are likely, PL3?
BB finding N9FKP2XQ: SQlite: `.sh whoami` Comment: add to blocklist
This PR addresses #2699. It will solve false negatives such as `/index.php/%3Csvg/onload=alert()` I've reviewed our XSS rules, and on first sight, the rules seem specific enough to allow us passing...
Associated issue: #2724 This PR adds the additional PHP wrappers documented at https://www.php.net/manual/en/wrappers.ssh2.php and a new test for each new wrapper: - `ssh2.shell://` - `ssh2.exec://` - `ssh2.tunnel://` - `ssh2.sftp://` -...
### Describe the bug Following on from #2722, it looks like we may be missing some additional PHP wrappers, specifically the `ssh2.*` family. **Source**: https://www.php.net/manual/en/wrappers.ssh2.php ### Expected behaviour We should...
Issue: `U8Z0MSCP` Description: The affected rule only works on *nix style filepaths. Fix: Detect windows style filepaths by considering `\` as valid filepath delimiter like `/`.
As URL structure is much different from version 5.1, new exclusion package/plugin needs to be created for versions above 5.1. This exclusion rules plugin is ready and needs testing.
