1[ 2 { 3 "enabled":1, 4 "version_min":300000, 5 "title":"Testing Variables :: OWASP CRS id:920120", 6 "client":{ 7 "ip":"200.249.12.31", 8 "port":123 9 }, 10 "server":{ 11 "ip":"200.249.12.31", 12 "port":80 13 }, 14 "request":{ 15 "headers":{ 16 "Host":"localhost", 17 "User-Agent":"curl/7.38.0", 18 "Accept-Language":"en-us,en;q=0.5", 19 "Accept":"*/*", 20 "Content-Length":"411", 21 "Content-Type":"multipart/form-data; boundary=---------------------------265001916915724", 22 "Proxy-Connection":"keep-alive", 23 "Keep-Alive":"300" 24 }, 25 "uri":"/", 26 "method":"POST", 27 "body": [ 28 "-----------------------------265001916915724\r", 29 "Content-Disposition: form-data; name=\"fi;le\"; filename=\"test\"\r", 30 "Content-Type: application/octet-stream\r", 31 "\r", 32 "Rotem & Ayala\r", 33 "\r", 34 "-----------------------------265001916915724\r", 35 "Content-Disposition: form-data; name=\"name\"\r", 36 "\r", 37 "tt2\r", 38 "-----------------------------265001916915724\r", 39 "Content-Disposition: form-data; name=\"B1\"\r", 40 "\r", 41 "Submit\r", 42 "-----------------------------265001916915724--\r" 43 ] 44 }, 45 "response":{ 46 "headers":{ 47 "Date":"Mon, 13 Jul 2015 20:02:41 GMT", 48 "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", 49 "Content-Type":"text/html" 50 }, 51 "body":[ 52 "no need." 53 ] 54 }, 55 "expected":{ 56 "http_code":400 57 }, 58 "rules":[ 59 "SecRuleEngine On", 60 "SecDefaultAction \"phase:2,deny,block,status:400,log\"", 61 "SecRule FILES_NAMES|FILES \"@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\\\"=]\" \"id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',tag:'CAPEC-272',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',setvar:'tx.msg=%{rule.msg}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" 62 ] 63 } 64] 65 66