Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Each signature corresponds to an attack detection rule in the ruleset. Google offers these rules as is. The rules let Cloud Armor evaluate dozens of distinct traffic signatures by referring to conveniently named rules rather than requiring you to define each signature manually.
Google Cloud Armor preconfigured WAF rules can be tuned to best suit your needs. For more information about how to tune the rules, see Tune Google Cloud Armor preconfigured WAF rules .
The following table contains a comprehensive list of preconfigured WAF rules that are available for use in a Cloud Armor security policy. The rule sources are OWASP Core Rule Set (CRS) 3.3.2 . We recommend that you use version 3.3 for increased sensitivity and for an increased breadth of protected attack types. Support for CRS 3.0 is ongoing.
CRS 3.3
Cloud Armor rule name
OWASP rule name
Current status
SQL injection
sqli-v33-stable
In sync with
sqli-v33-canary
sqli-v33-canary
Latest
Cross-site scripting
xss-v33-stable
In sync with
xss-v33-canary
xss-v33-canary
Latest
Local file inclusion
lfi-v33-stable
In sync with
lfi-v33-canary
lfi-v33-canary
Latest
Remote file inclusion
rfi-v33-stable
In sync with
rfi-v33-canary
rfi-v33-canary
Latest
Remote code execution
rce-v33-stable
In sync with
rce-v33-canary
rce-v33-canary
Latest
Method enforcement
methodenforcement-v33-stable
In sync with
methodenforcement-v33-canary
methodenforcement-v33-canary
Latest
Scanner detection
scannerdetection-v33-stable
In sync with
scannerdetection-v33-canary
scannerdetection-v33-canary
Latest
Protocol attack
protocolattack-v33-stable
In sync with
protocolattack-v33-canary
protocolattack-v33-canary
Latest
PHP injection attack
php-v33-stable
In sync with
php-v33-canary
php-v33-canary
Latest
Session fixation attack
sessionfixation-v33-stable
In sync with
sessionfixation-v33-canary
sessionfixation-v33-canary
Latest
Java attack
java-v33-stable
In sync with
java-v33-canary
java-v33-canary
Latest
NodeJS attack
nodejs-v33-stable
In sync with
nodejs-v33-canary
nodejs-v33-canary
Latest
CRS 3.0
Cloud Armor rule name
OWASP rule name
Current status
SQL injection
sqli-stable
In sync with
sqli-canary
sqli-canary
Latest
Cross-site scripting
xss-stable
In sync with
xss-canary
xss-canary
Latest
Local file inclusion
lfi-stable
In sync with
lfi-canary
lfi-canary
Latest
Remote file inclusion
rfi-stable
In sync with
rfi-canary
rfi-canary
Latest
Remote code execution
rce-stable
In sync with
rce-canary
rce-canary
Latest
Method enforcement
methodenforcement-stable
In sync with
methodenforcement-canary
methodenforcement-canary
Latest
Scanner detection
scannerdetection-stable
In sync with
scannerdetection-canary
scannerdetection-canary
Latest
Protocol attack
protocolattack-stable
In sync with
protocolattack-canary
protocolattack-canary
Latest
PHP injection attack
php-stable
In sync with
php-canary
php-canary
Latest
Session fixation attack
sessionfixation-stable
In sync with
sessionfixation-canary
sessionfixation-canary
Latest
Java attack
Not included
NodeJS attack
Not included
In addition, the following cve-canary
rules are available to all
Cloud Armor customers to help detect and optionally block the
following vulnerabilities:
-
CVE-2021-44228andCVE-2021-45046Log4j RCE vulnerabilities -
942550-sqliJSON-formatted content vulnerability
| Cloud Armor rule name | Covered vulnerability types |
|---|---|
cve-canary
|
Log4j vulnerability |
json-sqli-canary
|
JSON-based SQL injection bypass vulnerability |
Preconfigured OWASP rules
Each preconfigured WAF rule has a sensitivity level that corresponds to a OWASP CRS paranoia level . A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. A higher sensitivity level increases security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
The following table provides the signature ID, sensitivity level, and description of each supported signature in the SQLi preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id942100-sqli
|
1 | SQL Injection Attack Detected via libinjection |
owasp-crs-v030301-id942140-sqli
|
1 | SQL injection attack: Common DB Names Detected |
owasp-crs-v030301-id942160-sqli
|
1 | Detects blind SQLi tests using sleep() or benchmark() |
owasp-crs-v030301-id942170-sqli
|
1 | Detects SQL benchmark and sleep injection attempts including conditional queries |
owasp-crs-v030301-id942190-sqli
|
1 | Detects MSSQL code execution and information gathering attempts |
owasp-crs-v030301-id942220-sqli
|
1 | Looks for integer overflow attacks |
owasp-crs-v030301-id942230-sqli
|
1 | Detects conditional SQL injection attempts |
owasp-crs-v030301-id942240-sqli
|
1 | Detects MySQL charset switch and MSSQL DoS attempts |
owasp-crs-v030301-id942250-sqli
|
1 | Detects MATCH AGAINST |
owasp-crs-v030301-id942270-sqli
|
1 | Looks for basic SQL injection; common attack string for MySql |
owasp-crs-v030301-id942280-sqli
|
1 | Detects Postgres pg_sleep injection |
owasp-crs-v030301-id942290-sqli
|
1 | Finds basic MongoDB SQL injection attempts |
owasp-crs-v030301-id942320-sqli
|
1 | Detects MySQL and PostgreSQL stored procedure/function injections |
owasp-crs-v030301-id942350-sqli
|
1 | Detects MySQL UDF injection and other data/structure manipulation attempts |
owasp-crs-v030301-id942360-sqli
|
1 | Detects concatenated basic SQL injection and SQLLFI attempts |
owasp-crs-v030301-id942500-sqli
|
1 | MySQL in-line comment detected |
owasp-crs-v030301-id942110-sqli
|
2 | SQL injection attack: Common Injection Testing Detected |
owasp-crs-v030301-id942120-sqli
|
2 | SQL injection attack: SQL Operator Detected |
owasp-crs-v030301-id942130-sqli
|
2 | SQL Injection Attack: SQL Tautology Detected |
owasp-crs-v030301-id942150-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942180-sqli
|
2 | Detects basic SQL authentication bypass attempts 1/3 |
owasp-crs-v030301-id942200-sqli
|
2 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
owasp-crs-v030301-id942210-sqli
|
2 | Detects chained SQL injection attempts 1/2 |
owasp-crs-v030301-id942260-sqli
|
2 | Detects basic SQL authentication bypass attempts 2/3 |
owasp-crs-v030301-id942300-sqli
|
2 | Detects MySQL comments |
owasp-crs-v030301-id942310-sqli
|
2 | Detects chained SQL injection attempts 2/2 |
owasp-crs-v030301-id942330-sqli
|
2 | Detects classic SQL injection probings 1/2 |
owasp-crs-v030301-id942340-sqli
|
2 | Detects basic SQL authentication bypass attempts 3/3 |
owasp-crs-v030301-id942361-sqli
|
2 | Detects basic SQL injection based on keyword alter or union |
owasp-crs-v030301-id942370-sqli
|
2 | Detects classic SQL injection probings 2/3 |
owasp-crs-v030301-id942380-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942390-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942400-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942410-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942470-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942480-sqli
|
2 | SQL injection attack |
owasp-crs-v030301-id942430-sqli
|
2 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
owasp-crs-v030301-id942440-sqli
|
2 | SQL Comment Sequence Detected |
owasp-crs-v030301-id942450-sqli
|
2 | SQL Hex Encoding Identified |
owasp-crs-v030301-id942510-sqli
|
2 | SQLi bypass attempt by ticks or backticks detected |
owasp-crs-v030301-id942251-sqli
|
3 | Detects HAVING injections |
owasp-crs-v030301-id942490-sqli
|
3 | Detects classic SQL injection probings 3/3 |
owasp-crs-v030301-id942420-sqli
|
3 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
owasp-crs-v030301-id942431-sqli
|
3 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
owasp-crs-v030301-id942460-sqli
|
3 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
owasp-crs-v030301-id942101-sqli
|
3 | SQL Injection Attack Detected via libinjection |
owasp-crs-v030301-id942511-sqli
|
3 | SQLi bypass attempt by ticks detected |
owasp-crs-v030301-id942421-sqli
|
4 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
owasp-crs-v030301-id942432-sqli
|
4 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
Not included
|
1 | SQL Injection Attack Detected via libinjection |
owasp-crs-v030001-id942140-sqli
|
1 | SQL injection attack: Common DB Names Detected |
owasp-crs-v030001-id942160-sqli
|
1 | Detects blind SQLi tests using sleep() or benchmark() |
owasp-crs-v030001-id942170-sqli
|
1 | Detects SQL benchmark and sleep injection attempts including conditional queries |
owasp-crs-v030001-id942190-sqli
|
1 | Detects MSSQL code execution and information gathering attempts |
owasp-crs-v030001-id942220-sqli
|
1 | Looks for integer overflow attacks |
owasp-crs-v030001-id942230-sqli
|
1 | Detects conditional SQL injection attempts |
owasp-crs-v030001-id942240-sqli
|
1 | Detects MySQL charset switch and MSSQL DoS attempts |
owasp-crs-v030001-id942250-sqli
|
1 | Detects MATCH AGAINST |
owasp-crs-v030001-id942270-sqli
|
1 | Looks for basic SQL injection; common attack string for MySql |
owasp-crs-v030001-id942280-sqli
|
1 | Detects Postgres pg_sleep injection |
owasp-crs-v030001-id942290-sqli
|
1 | Finds basic MongoDB SQL injection attempts |
owasp-crs-v030001-id942320-sqli
|
1 | Detects MySQL and PostgreSQL stored procedure/function injections |
owasp-crs-v030001-id942350-sqli
|
1 | Detects MySQL UDF injection and other data/structure manipulation attempts |
owasp-crs-v030001-id942360-sqli
|
1 | Detects concatenated basic SQL injection and SQLLFI attempts |
Not included
|
1 | MySQL in-line comment detected |
owasp-crs-v030001-id942110-sqli
|
2 | SQL injection attack: Common Injection Testing Detected |
owasp-crs-v030001-id942120-sqli
|
2 | SQL injection attack: SQL Operator Detected |
Not included
|
2 | SQL Injection Attack: SQL Tautology Detected |
owasp-crs-v030001-id942150-sqli
|
2 | SQL injection attack |
owasp-crs-v030001-id942180-sqli
|
2 | Detects basic SQL authentication bypass attempts 1/3 |
owasp-crs-v030001-id942200-sqli
|
2 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
owasp-crs-v030001-id942210-sqli
|
2 | Detects chained SQL injection attempts 1/2 |
owasp-crs-v030001-id942260-sqli
|
2 | Detects basic SQL authentication bypass attempts 2/3 |
owasp-crs-v030001-id942300-sqli
|
2 | Detects MySQL comments |
owasp-crs-v030001-id942310-sqli
|
2 | Detects chained SQL injection attempts 2/2 |
owasp-crs-v030001-id942330-sqli
|
2 | Detects classic SQL injection probings 1/2 |
owasp-crs-v030001-id942340-sqli
|
2 | Detects basic SQL authentication bypass attempts 3/3 |
Not included
|
2 | Detects basic SQL injection based on keyword alter or union |
Not included
|
2 | Detects classic SQL injection probings 2/3 |
owasp-crs-v030001-id942380-sqli
|
2 | SQL injection attack |
owasp-crs-v030001-id942390-sqli
|
2 | SQL injection attack |
owasp-crs-v030001-id942400-sqli
|
2 | SQL injection attack |
owasp-crs-v030001-id942410-sqli
|
2 | SQL injection attack |
Not included
|
2 | SQL injection attack |
Not included
|
2 | SQL injection attack |
owasp-crs-v030001-id942430-sqli
|
2 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
owasp-crs-v030001-id942440-sqli
|
2 | SQL Comment Sequence Detected |
owasp-crs-v030001-id942450-sqli
|
2 | SQL Hex Encoding Identified |
Not included
|
2 | SQLi bypass attempt by ticks or backticks detected |
owasp-crs-v030001-id942251-sqli
|
3 | Detects HAVING injections |
Not included
|
2 | Detects classic SQL injection probings 3/3 |
owasp-crs-v030001-id942420-sqli
|
3 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
owasp-crs-v030001-id942431-sqli
|
3 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
owasp-crs-v030001-id942460-sqli
|
3 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
Not included
|
3 | SQL Injection Attack Detected via libinjection |
Not included
|
3 | SQLi bypass attempt by ticks detected |
owasp-crs-v030001-id942421-sqli
|
4 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
owasp-crs-v030001-id942432-sqli
|
4 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3}) |
| 4 | evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 3}) |
| 4 | evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 4}) |
Cross-site scripting (XSS)
The following table provides the signature ID, sensitivity level, and description of each supported signature in the XSS preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id941100-xss
|
1 | XSS Attack Detected via libinjection |
owasp-crs-v030301-id941110-xss
|
1 | XSS Filter - Category 1: Script Tag Vector |
owasp-crs-v030301-id941120-xss
|
1 | XSS Filter - Category 2: Event Handler Vector |
owasp-crs-v030301-id941130-xss
|
1 | XSS Filter - Category 3: Attribute Vector |
owasp-crs-v030301-id941140-xss
|
1 | XSS Filter - Category 4: JavaScript URI Vector |
owasp-crs-v030301-id941160-xss
|
1 | NoScript XSS InjectionChecker: HTML Injection |
owasp-crs-v030301-id941170-xss
|
1 | NoScript XSS InjectionChecker: Attribute Injection |
owasp-crs-v030301-id941180-xss
|
1 | Node-Validator Blacklist Keywords |
owasp-crs-v030301-id941190-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941200-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941210-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941220-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941230-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941240-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941250-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941260-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941270-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941280-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941290-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941300-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941310-xss
|
1 | US-ASCII Malformed Encoding XSS Filter - Attack Detected |
owasp-crs-v030301-id941350-xss
|
1 | UTF-7 Encoding IE XSS - Attack Detected |
owasp-crs-v030301-id941360-xss
|
1 | Hieroglyphy obfuscation detected |
owasp-crs-v030301-id941370-xss
|
1 | JavaScript global variable found |
owasp-crs-v030301-id941101-xss
|
2 | XSS Attack Detected via libinjection |
owasp-crs-v030301-id941150-xss
|
2 | XSS Filter - Category 5: Disallowed HTML Attributes |
owasp-crs-v030301-id941320-xss
|
2 | Possible XSS Attack Detected - HTML Tag Handler |
owasp-crs-v030301-id941330-xss
|
2 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941340-xss
|
2 | IE XSS Filters - Attack Detected |
owasp-crs-v030301-id941380-xss
|
2 | AngularJS client side template injection detected |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
Not included
|
1 | XSS Attack Detected via libinjection |
owasp-crs-v030001-id941110-xss
|
1 | XSS Filter - Category 1: Script Tag Vector |
owasp-crs-v030001-id941120-xss
|
1 | XSS Filter - Category 2: Event Handler Vector |
owasp-crs-v030001-id941130-xss
|
1 | XSS Filter - Category 3: Attribute Vector |
owasp-crs-v030001-id941140-xss
|
1 | XSS Filter - Category 4: JavaScript URI Vector |
owasp-crs-v030001-id941160-xss
|
1 | NoScript XSS InjectionChecker: HTML Injection |
owasp-crs-v030001-id941170-xss
|
1 | NoScript XSS InjectionChecker: Attribute Injection |
owasp-crs-v030001-id941180-xss
|
1 | Node-Validator Blacklist Keywords |
owasp-crs-v030001-id941190-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941200-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941210-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941220-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941230-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941240-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941250-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941260-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941270-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941280-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941290-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941300-xss
|
1 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941310-xss
|
1 | US-ASCII Malformed Encoding XSS Filter - Attack Detected |
owasp-crs-v030001-id941350-xss
|
1 | UTF-7 Encoding IE XSS - Attack Detected |
Not included
|
1 | JSFuck / Hieroglyphy obfuscation detected |
Not included
|
1 | JavaScript global variable found |
Not included
|
2 | XSS Attack Detected via libinjection |
owasp-crs-v030001-id941150-xss
|
2 | XSS Filter - Category 5: Disallowed HTML Attributes |
owasp-crs-v030001-id941320-xss
|
2 | Possible XSS Attack Detected - HTML Tag Handler |
owasp-crs-v030001-id941330-xss
|
2 | IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941340-xss
|
2 | IE XSS Filters - Attack Detected |
Not included
|
2 | AngularJS client side template injection detected |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('xss-stable', {'sensitivity': 1}) |
Local file inclusion (LFI)
The following table provides the signature ID, sensitivity level, and description of each supported signature in the LFI preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id930100-lfi
|
1 | Path Traversal Attack (/../) |
owasp-crs-v030301-id930110-lfi
|
1 | Path Traversal Attack (/../) |
owasp-crs-v030301-id930120-lfi
|
1 | OS File Access Attempt |
owasp-crs-v030301-id930130-lfi
|
1 | Restricted File Access Attempt |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id930100-lfi
|
1 | Path Traversal Attack (/../) |
owasp-crs-v030001-id930110-lfi
|
1 | Path Traversal Attack (/../) |
owasp-crs-v030001-id930120-lfi
|
1 | OS File Access Attempt |
owasp-crs-v030001-id930130-lfi
|
1 | Restricted File Access Attempt |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for LFI are at sensitivity level 1. The following configuration
works for all sensitivity levels:
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('lfi-stable', {'sensitivity': 1}) |
Remote code execution (RCE)
The following table provides the signature ID, sensitivity level, and description of each supported signature in the RCE preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id932100-rce
|
1 | UNIX Command Injection |
owasp-crs-v030301-id932105-rce
|
1 | UNIX Command Injection |
owasp-crs-v030301-id932110-rce
|
1 | Windows Command Injection |
owasp-crs-v030301-id932115-rce
|
1 | Windows Command Injection |
owasp-crs-v030301-id932120-rce
|
1 | Windows PowerShell Command Found |
owasp-crs-v030301-id932130-rce
|
1 | Unix Shell Expression Found |
owasp-crs-v030301-id932140-rce
|
1 | Windows FOR/IF Command Found |
owasp-crs-v030301-id932150-rce
|
1 | Direct UNIX Command Execution |
owasp-crs-v030301-id932160-rce
|
1 | UNIX Shell Code Found |
owasp-crs-v030301-id932170-rce
|
1 | Shellshock (CVE-2014-6271) |
owasp-crs-v030301-id932171-rce
|
1 | Shellshock (CVE-2014-6271) |
owasp-crs-v030301-id932180-rce
|
1 | Restricted File Upload Attempt |
owasp-crs-v030301-id932200-rce
|
2 | RCE Bypass Technique |
owasp-crs-v030301-id932106-rce
|
3 | Remote Command Execution: Unix Command Injection |
owasp-crs-v030301-id932190-rce
|
3 | Remote Command Execution: Wildcard bypass technique attempt |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id932100-rce
|
1 | UNIX Command Injection |
owasp-crs-v030001-id932105-rce
|
1 | UNIX Command Injection |
owasp-crs-v030001-id932110-rce
|
1 | Windows Command Injection |
owasp-crs-v030001-id932115-rce
|
1 | Windows Command Injection |
owasp-crs-v030001-id932120-rce
|
1 | Windows PowerShell Command Found |
owasp-crs-v030001-id932130-rce
|
1 | Unix Shell Expression Found |
owasp-crs-v030001-id932140-rce
|
1 | Windows FOR/IF Command Found |
owasp-crs-v030001-id932150-rce
|
1 | Direct UNIX Command Execution |
owasp-crs-v030001-id932160-rce
|
1 | UNIX Shell Code Found |
owasp-crs-v030001-id932170-rce
|
1 | Shellshock (CVE-2014-6271) |
owasp-crs-v030001-id932171-rce
|
1 | Shellshock (CVE-2014-6271) |
Not included
|
1 | Restricted File Upload Attempt |
Not included
|
2 | RCE Bypass Technique |
Not included
|
3 | Remote Command Execution: Unix Command Injection |
Not included
|
3 | Remote Command Execution: Wildcard bypass technique attempt |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for RCE are at sensitivity level 1. The following configuration works
for all sensitivity levels:
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 3}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 3}) |
Remote file inclusion (RFI)
The following table provides the signature ID, sensitivity level, and description of each supported signature in the RFI preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id931100-rfi
|
1 | URL Parameter using IP Address |
owasp-crs-v030301-id931110-rfi
|
1 | Common RFI Vulnerable Parameter Name used w/URL Payload |
owasp-crs-v030301-id931120-rfi
|
1 | URL Payload Used w/Trailing Question Mark Character (?) |
owasp-crs-v030301-id931130-rfi
|
2 | Off-Domain Reference/Link |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id931100-rfi
|
1 | URL Parameter using IP Address |
owasp-crs-v030001-id931110-rfi
|
1 | Common RFI Vulnerable Parameter Name used w/URL Payload |
owasp-crs-v030001-id931120-rfi
|
1 | URL Payload Used w/Trailing Question Mark Character (?) |
owasp-crs-v030001-id931130-rfi
|
2 | Off-Domain Reference/Link |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 2}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 2}) |
Method enforcement
The following table provides the signature ID, sensitivity level, and description of each supported signature in the method enforcement preconfigured rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id911100-methodenforcement
|
1 | Method is not allowed by policy |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id911100-methodenforcement
|
1 | Method is not allowed by policy |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('methodenforcement-stable', {'sensitivity': 1}) |
Scanner detection
The following table provides the signature ID, sensitivity level, and description of each supported signature in the scanner detection preconfigured rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id913100-scannerdetection
|
1 | Found User-Agent associated with security scanner |
owasp-crs-v030301-id913110-scannerdetection
|
1 | Found request header associated with security scanner |
owasp-crs-v030301-id913120-scannerdetection
|
1 | Found request filename/argument associated with security scanner |
owasp-crs-v030301-id913101-scannerdetection
|
2 | Found User-Agent associated with scripting/generic HTTP client |
owasp-crs-v030301-id913102-scannerdetection
|
2 | Found User-Agent associated with web crawler/bot |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id913100-scannerdetection
|
1 | Found User-Agent associated with security scanner |
owasp-crs-v030001-id913110-scannerdetection
|
1 | Found request header associated with security scanner |
owasp-crs-v030001-id913120-scannerdetection
|
1 | Found request filename/argument associated with security scanner |
owasp-crs-v030001-id913101-scannerdetection
|
2 | Found User-Agent associated with scripting/generic HTTP client |
owasp-crs-v030001-id913102-scannerdetection
|
2 | Found User-Agent associated with web crawler/bot |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 2}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 2}) |
Protocol attack
The following table provides the signature ID, sensitivity level, and description of each supported signature in the protocol attack preconfigured rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
Not included
|
1 | HTTP Request Smuggling Attack |
owasp-crs-v030301-id921110-protocolattack
|
1 | HTTP Request Smuggling Attack |
owasp-crs-v030301-id921120-protocolattack
|
1 | HTTP Response Splitting Attack |
owasp-crs-v030301-id921130-protocolattack
|
1 | HTTP Response Splitting Attack |
owasp-crs-v030301-id921140-protocolattack
|
1 | HTTP Header Injection Attack via headers |
owasp-crs-v030301-id921150-protocolattack
|
1 | HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030301-id921160-protocolattack
|
1 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
owasp-crs-v030301-id921190-protocolattack
|
1 | HTTP Splitting (CR/LF in request filename detected) |
owasp-crs-v030301-id921200-protocolattack
|
1 | LDAP Injection Attack |
owasp-crs-v030301-id921151-protocolattack
|
2 | HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030301-id921170-protocolattack
|
3 | HTTP Parameter Pollution |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id921100-protocolattack
|
1 | HTTP Request Smuggling Attack |
owasp-crs-v030001-id921110-protocolattack
|
1 | HTTP Request Smuggling Attack |
owasp-crs-v030001-id921120-protocolattack
|
1 | HTTP Response Splitting Attack |
owasp-crs-v030001-id921130-protocolattack
|
1 | HTTP Response Splitting Attack |
owasp-crs-v030001-id921140-protocolattack
|
1 | HTTP Header Injection Attack via headers |
owasp-crs-v030001-id921150-protocolattack
|
1 | HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030001-id921160-protocolattack
|
1 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
Not included
|
1 | HTTP Splitting (CR/LF in request filename detected) |
Not included
|
1 | LDAP Injection Attack |
owasp-crs-v030001-id921151-protocolattack
|
2 | HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030001-id921170-protocolattack
|
3 | HTTP Parameter Pollution |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 3}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 3}) |
PHP
The following table provides the signature ID, sensitivity level, and description of each supported signature in the PHP preconfigured WAF rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id933100-php
|
1 | PHP Injection Attack: PHP Open Tag Found |
owasp-crs-v030301-id933110-php
|
1 | PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030301-id933120-php
|
1 | PHP Injection Attack: Configuration Directive Found |
owasp-crs-v030301-id933130-php
|
1 | PHP Injection Attack: Variables Found |
owasp-crs-v030301-id933140-php
|
1 | PHP Injection Attack: I/O Stream Found |
owasp-crs-v030301-id933200-php
|
1 | PHP Injection Attack: Wrapper scheme detected |
owasp-crs-v030301-id933150-php
|
1 | PHP Injection Attack: High-Risk PHP Function Name Found |
owasp-crs-v030301-id933160-php
|
1 | PHP Injection Attack: High-Risk PHP Function Call Found |
owasp-crs-v030301-id933170-php
|
1 | PHP Injection Attack: Serialized Object Injection |
owasp-crs-v030301-id933180-php
|
1 | PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030301-id933210-php
|
1 | PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030301-id933151-php
|
2 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
owasp-crs-v030301-id933131-php
|
3 | PHP Injection Attack: Variables Found |
owasp-crs-v030301-id933161-php
|
3 | PHP Injection Attack: Low-Value PHP Function Call Found |
owasp-crs-v030301-id933111-php
|
3 | PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030301-id933190-php
|
3 | PHP Injection Attack: PHP Closing Tag Found |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id933100-php
|
1 | PHP Injection Attack: PHP Open Tag Found |
owasp-crs-v030001-id933110-php
|
1 | PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030001-id933120-php
|
1 | PHP Injection Attack: Configuration Directive Found |
owasp-crs-v030001-id933130-php
|
1 | PHP Injection Attack: Variables Found |
owasp-crs-v030001-id933140-php
|
1 | PHP Injection Attack: I/O Stream Found |
Not included
|
1 | PHP Injection Attack: Wrapper scheme detected |
owasp-crs-v030001-id933150-php
|
1 | PHP Injection Attack: High-Risk PHP Function Name Found |
owasp-crs-v030001-id933160-php
|
1 | PHP Injection Attack: High-Risk PHP Function Call Found |
owasp-crs-v030001-id933170-php
|
1 | PHP Injection Attack: Serialized Object Injection |
owasp-crs-v030001-id933180-php
|
1 | PHP Injection Attack: Variable Function Call Found |
Not included
|
1 | PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030001-id933151-php
|
2 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
owasp-crs-v030001-id933131-php
|
3 | PHP Injection Attack: Variables Found |
owasp-crs-v030001-id933161-php
|
3 | PHP Injection Attack: Low-Value PHP Function Call Found |
owasp-crs-v030001-id933111-php
|
3 | PHP Injection Attack: PHP Script File Upload Found |
Not included
|
3 | PHP Injection Attack: PHP Closing Tag Found |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 3}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('php-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('php-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('php-stable', {'sensitivity': 3}) |
Session fixation
The following table provides the signature ID, sensitivity level, and description of each supported signature in the session fixation preconfigured rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id943100-sessionfixation
|
1 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
owasp-crs-v030301-id943110-sessionfixation
|
1 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
owasp-crs-v030301-id943120-sessionfixation
|
1 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id943100-sessionfixation
|
1 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
owasp-crs-v030001-id943110-sessionfixation
|
1 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
owasp-crs-v030001-id943120-sessionfixation
|
1 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for session fixation are at sensitivity level 1. The following
configuration works for all sensitivity levels:
CRS 3.3
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1}) |
CRS 3.0
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('sessionfixation-stable', {'sensitivity': 1}) |
Java attack
The following table provides the signature ID, sensitivity level, and description of each supported signature in the Java attack preconfigured rule.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id944100-java
|
1 | Remote Command Execution: Suspicious Java class detected |
owasp-crs-v030301-id944110-java
|
1 | Remote Command Execution: Java process spawn (CVE-2017-9805) |
owasp-crs-v030301-id944120-java
|
1 | Remote Command Execution: Java serialization (CVE-2015-4852) |
owasp-crs-v030301-id944130-java
|
1 | Suspicious Java class detected |
owasp-crs-v030301-id944200-java
|
2 | Magic bytes detected, probable Java serialization in use |
owasp-crs-v030301-id944210-java
|
2 | Magic bytes detected Base64 encoded, probable Java serialization in use |
owasp-crs-v030301-id944240-java
|
2 | Remote Command Execution: Java serialization (CVE-2015-4852) |
owasp-crs-v030301-id944250-java
|
2 | Remote Command Execution: Suspicious Java method detected |
owasp-crs-v030301-id944300-java
|
3 | Base64 encoded string matched suspicious keyword |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
Not included
|
1 | Remote Command Execution: Suspicious Java class detected |
Not included
|
1 | Remote Command Execution: Java process spawn (CVE-2017-9805) |
Not included
|
1 | Remote Command Execution: Java serialization (CVE-2015-4852) |
Not included
|
1 | Suspicious Java class detected |
Not included
|
2 | Magic bytes detected, probable Java serialization in use |
Not included
|
2 | Magic bytes detected Base64 encoded, probable Java serialization in use |
Not included
|
2 | Remote Command Execution: Java serialization (CVE-2015-4852) |
Not included
|
2 | Remote Command Execution: Suspicious Java method detected |
Not included
|
3 | Base64 encoded string matched suspicious keyword |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3}) |
NodeJS attack
The following table provides the signature ID, sensitivity level, and description of each supported signature in the NodeJS attack preconfigured rule.
The following preconfigured WAF rule signatures are only included in CRS 3.3.
CRS 3.3
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030301-id934100-nodejs
|
1 | Node.js Injection Attack |
CRS 3.0
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
Not included
|
1 | Node.js Injection Attack |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for NodeJS attack are at sensitivity level 1. The following
configuration works for other sensitivity levels:
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('nodejs-v33-stable', {'sensitivity': 1}) |
CVEs and other vulnerabilities
The following table provides the signature ID, sensitivity level, and description of each supported signature in the CVE Log4j RCE vulnerability preconfigured rule.
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-v030001-id044228-cve
|
1 | Base rule to help detect exploit attempts of CVE-2021-44228
& CVE-2021-45046
|
owasp-crs-v030001-id144228-cve
|
1 | Google-provided enhancements to cover more bypass and obfuscation attempts |
owasp-crs-v030001-id244228-cve
|
3 | Increased sensitivity of detection to target even more bypass and obfuscation attempts, with nominal increase in risk of false positive detection |
owasp-crs-v030001-id344228-cve
|
3 | Increased sensitivity of detection to target even more bypass and obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection |
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Cloud Armor
evaluates all signatures.
| Sensitivity level | Expression |
|---|---|
| 1 | evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 1}) |
| 2 | evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 2}) |
| 3 | evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 3}) |
JSON-formatted content SQLi vulnerability
The following table provides the signature ID, sensitivity level, and
description of the supported signature 942550-sqli
,
which covers the vulnerability in which malicious attackers can
bypass WAF by appending JSON syntax to SQL injection payloads.
| Signature ID (Rule ID) | Sensitivity level | Description |
|---|---|---|
owasp-crs-id942550-sqli
|
2 | Detects all JSON-based SQLi vectors, including SQLi signatures found in the URL |
Use the following expression to deploy the signature:
evaluatePreconfiguredWaf('json-sqli-canary', {'sensitivity':0, 'opt_in_rule_ids': ['owasp-crs-id942550-sqli']})
We recommend that you also enable sqli-v33-stable
at sensitivity level 2 to
fully address JSON-based SQL injection bypasses.
Limitations
Cloud Armor preconfigured WAF rules have the following limitations:
- WAF rule changes typically take several minutes to propagate.
- Among the HTTP request types with a request body, Cloud Armor
processes only
POSTrequests. Cloud Armor evaluates preconfigured rules against the first 8 KB ofPOSTbody content. For more information, seePOSTbody inspection limitation . - Cloud Armor can parse and apply preconfigured WAF rules to JSON-formatted
content (including properly formatted GraphQL over HTTP
requests) when JSON
parsing is enabled with a matching
Content-Typeheader value. For more information, see JSON parsing . - When you have a request field exclusion attached to a preconfigured WAF rule, you can't
use the
allowaction. Requests matching the exception are automatically allowed.
