1 )|(?:[^\w\s]\s*\/>)|(?:>")]]> finds html breaking injections including whitespace attacks xss csrf 4 2 \w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]> finds attribute breaking injections including whitespace attacks xss csrf 4 3 [\w\s]*<\/?\w{2,}>)]]> finds unquoted attribute breaking injections xss csrf 2 4 ]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]> Detects url-, name-, JSON, and referrer-contained payload attacks xss csrf 5 5 Detects hash-contained xss payload attacks, setter usage and property overloading xss csrf 5 6 Detects self contained xss via with(), common loops and regex to string conversion xss csrf 5 7 Detects JavaScript with(), ternary operators and XML predicate attacks xss csrf 5 8 Detects self-executing JavaScript functions xss csrf 5 9 Detects the IE octal, hex and unicode entities xss csrf 2 10 Detects basic directory traversal dt id lfi 5 11 Detects specific directory and path traversal dt id lfi 5 12 Detects etc/passwd inclusion attempts dt id lfi 5 13 Detects halfwidth/fullwidth encoded unicode HTML breaking attempts xss csrf 3 14 Detects possible includes, VBSCript/JScript encodeed and packed functions xss csrf id rfe 5 15 Detects JavaScript DOM/miscellaneous properties and methods xss csrf id rfe 6 16 Detects possible includes and typical script methods xss csrf id rfe 5 17 Detects JavaScript object properties and methods xss csrf id rfe 4 18 Detects JavaScript array properties and methods xss csrf id rfe 4 19 Detects JavaScript string properties and methods xss csrf id rfe 4 20 Detects JavaScript language constructs xss csrf id rfe 4 21 Detects very basic XSS probings xss csrf id rfe 3 22 Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces xss csrf id rfe 5 23 Detects JavaScript location/document property access and window access obfuscation xss csrf 5 24 Detects basic obfuscated JavaScript script injections xss csrf 5 25 Detects obfuscated JavaScript script injections xss csrf 5 26 Detects JavaScript cookie stealing and redirection attempts xss csrf 4 27 Detects data: URL injections, VBS injections and common URI schemes xss rfe 5 28 Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution xss rfe lfi csrf 5 29 Detects bindings and behavior injections xss csrf rfe 4 30 Detects common XSS concatenation patterns 1/2 xss csrf id rfe 4 31 Detects common XSS concatenation patterns 2/2 xss csrf id rfe 4 32 )\w+[^=_+-]*=[^$]+(?:\W|\>)?)]]> Detects possible event handlers xss csrf 4 33 ]*)t(?!rong))|(?:\ Detects obfuscated script tags and XML wrapped HTML xss 4 34 Detects attributes in closing tags and conditional compilation tokens xss csrf 4 35 )|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:)]]> Detects common comment types xss csrf id 3 37 Detects base href injections and XML entity injections xss csrf id 5 38 Detects possibly malicious html elements including some attributes xss csrf id rfe lfi 4 39 Detects nullbytes and other dangerous characters id rfe xss 5 40 Detects MySQL comments, conditions and ch(a)r injections sqli id lfi 6 41 ~])]]> Detects conditional SQL injection attempts sqli id lfi 6 42 Detects classic SQL injection probings 1/2 sqli id lfi 6 43 %+-][\w-]+[^\w\s]+"[^,])]]> Detects classic SQL injection probings 2/2 sqli id lfi 6 44 =(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]> Detects basic SQL authentication bypass attempts 1/3 sqli id lfi 7 45 Detects basic SQL authentication bypass attempts 2/3 sqli id lfi 7 46 ^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]> Detects basic SQL authentication bypass attempts 3/3 sqli id lfi 7 47 Detects concatenated basic SQL injection and SQLLFI attempts sqli id lfi 5 48 Detects chained SQL injection attempts 1/2 sqli id 6 49 Detects chained SQL injection attempts 2/2 sqli id 6 50 Detects SQL benchmark and sleep injection attempts including conditional queries sqli id 4 51 Detects MySQL UDF injection and other data/structure manipulation attempts sqli id 6 52 Detects MySQL charset switch and MSSQL DoS attempts sqli id 6 53 Detects MySQL and PostgreSQL stored procedure/function injections sqli id 7 54 Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts sqli id 5 55 Detects MSSQL code execution and information gathering attempts sqli id 5 56 Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections sqli id 5 57 Detects MySQL comment-/space-obfuscated injections and backtick termination sqli id 5 58 )?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]> Detects code injection attempts 1/3 id rfe lfi 7 59 Detects code injection attempts 2/3 id rfe lfi 7 60 Detects code injection attempts 3/3 id rfe lfi 7 62 Detects common function declarations and special JS operators id rfe lfi 5 63 Detects common mail header injections id spam 5 64 Detects perl echo shellcode injection and LDAP vectors lfi rfe 5 65 Detects basic XSS DoS attempts rfe dos 5 67 Detects unknown attack vectors based on PHPIDS Centrifuge detection xss csrf id rfe lfi 7 68 ))]]> Finds attribute breaking injections including obfuscated attributes xss csrf 4 69 Finds basic VBScript injection attempts xss csrf 4 70 Finds basic MongoDB SQL injection attempts sqli 4 71 finds malicious attribute injection attempts and MHTML attacks xss csrf 6 72 Detects blind sqli tests using sleep() or benchmark(). sqli id 4 73 An attacker is trying to locate a file to read or write. files id 4 75 Looking for a format string attack format string 4 76 Looking for basic sql injection. Common attack string for mysql, oracle and others. sqli id 3 77 Looking for intiger overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the "magic number" crash sqli id 3