1[
2  {
3    "enabled":1,
4    "version_min":300000,
5    "title":"Testing Variables :: OWASP CRS id:920120",
6    "client":{
7      "ip":"200.249.12.31",
8      "port":123
9    },
10    "server":{
11      "ip":"200.249.12.31",
12      "port":80
13    },
14    "request":{
15      "headers":{
16        "Host":"localhost",
17        "User-Agent":"curl/7.38.0",
18        "Accept-Language":"en-us,en;q=0.5",
19        "Accept":"*/*",
20        "Content-Length":"411",
21        "Content-Type":"multipart/form-data; boundary=---------------------------265001916915724",
22        "Proxy-Connection":"keep-alive",
23        "Keep-Alive":"300"
24      },
25      "uri":"/",
26      "method":"POST",
27      "body": [
28        "-----------------------------265001916915724\r",
29        "Content-Disposition: form-data; name=\"fi;le\"; filename=\"test\"\r",
30        "Content-Type: application/octet-stream\r",
31        "\r",
32        "Rotem & Ayala\r",
33        "\r",
34        "-----------------------------265001916915724\r",
35        "Content-Disposition: form-data; name=\"name\"\r",
36        "\r",
37        "tt2\r",
38        "-----------------------------265001916915724\r",
39        "Content-Disposition: form-data; name=\"B1\"\r",
40        "\r",
41        "Submit\r",
42        "-----------------------------265001916915724--\r"
43      ]
44    },
45    "response":{
46      "headers":{
47        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
48        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
49        "Content-Type":"text/html"
50      },
51      "body":[
52        "no need."
53      ]
54    },
55    "expected":{
56      "http_code":400
57    },
58    "rules":[
59      "SecRuleEngine On",
60      "SecDefaultAction \"phase:2,deny,block,status:400,log\"",
61      "SecRule FILES_NAMES|FILES \"@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\\\"=]\" \"id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',tag:'CAPEC-272',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',setvar:'tx.msg=%{rule.msg}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\""
62    ]
63  }
64]
65
66