Changeset 499330
- Timestamp:
- 02/02/2012 08:02:07 PM (14 years ago)
- Location:
- wp-sentinel/trunk
- Files:
-
- 12 edited
-
admin/admin.php (modified) (2 diffs)
-
admin/views/banned.view.php (modified) (1 diff)
-
classes/ihook.class.php (modified) (1 diff)
-
classes/report.class.php (modified) (2 diffs)
-
classes/sentinel.class.php (modified) (5 diffs)
-
hooks/allowed-file.hook.php (modified) (1 diff)
-
hooks/allowed-tags.hook.php (modified) (2 diffs)
-
hooks/check-bruteforce.hook.php (modified) (1 diff)
-
hooks/isadmin.hook.php (modified) (2 diffs)
-
readme.txt (modified) (3 diffs)
-
rules.json (modified) (1 diff)
-
wp-sentinel.php (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
wp-sentinel/trunk/admin/admin.php
r498844 r499330 3 3 * @brief WP-Sentinel - Wordpress Security System . * 4 4 * @author Simone Margaritelli (aka evilsocket) <evilsocket@gmail.com> * 5 * *5 * * 6 6 * * 7 7 * This program is free software; you can redistribute it and/or modify * … … 20 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 21 ***************************************************************************/ 22 if( preg_match( "/admin\.php/", $_SERVER['PHP_SELF'] ) ){ die (); } 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 23 24 24 25 define( "BLOG_URL", get_bloginfo('wpurl') ); -
wp-sentinel/trunk/admin/views/banned.view.php
r498844 r499330 15 15 <table width="100%" cellpadding="0" cellspacing="1" style="background-color: white; border: 1px dotted gray; padding: 0;"> 16 16 <tr> 17 <th style="font-weight: bold; background-color: #CCC; padding:3px;" align='center'>Started On</th>18 <th style="font-weight: bold; background-color: #CCC; padding:3px; " align='center'>Duration</th>19 <th style="font-weight: bold; background-color: #CCC; padding:3px;" align='center'>Time Left</th>20 <th style="font-weight: bold; background-color: #CCC; padding:3px;" align='center'>Address</th>21 <th style="font-weight: bold; background-color: #CCC; padding:3px; " align='center'>Remove</th>17 <th style="font-weight: bold; background-color: #CCC; padding:3px;"><center>Started On</center></th> 18 <th style="font-weight: bold; background-color: #CCC; padding:3px; width:100px;"><center>Duration</center></th> 19 <th style="font-weight: bold; background-color: #CCC; padding:3px;"><center>Time Left</center></th> 20 <th style="font-weight: bold; background-color: #CCC; padding:3px;"><center>Address</center></th> 21 <th style="font-weight: bold; background-color: #CCC; padding:3px; width:25px;"><center>Remove</center></th> 22 22 </tr> 23 23 <?php foreach( $aBans as $i => $ban ): ?> -
wp-sentinel/trunk/classes/ihook.class.php
r498844 r499330 20 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 21 ***************************************************************************/ 22 if( !defined('WPS_INCLUDE') ){ die (); } 22 23 23 24 interface IWPSHook -
wp-sentinel/trunk/classes/report.class.php
r498844 r499330 21 21 ***************************************************************************/ 22 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 24 23 25 class WPSReport 24 26 { … … 60 62 'login' => isset( $oWpUser->user_level ) ? $oWpUser->user_login : '', 61 63 'address' => WPSentinel::getAddress(), 62 'referer' => htmlentities($_SERVER['HTTP_REFERER']),63 'agent' => htmlentities($_SERVER['HTTP_USER_AGENT'])64 'referer' => isset($_SERVER['HTTP_REFERER']) ? htmlentities($_SERVER['HTTP_REFERER']) : '', 65 'agent' => isset($_SERVER['HTTP_USER_AGENT']) ? htmlentities($_SERVER['HTTP_USER_AGENT']) : '' 64 66 ); 65 67 -
wp-sentinel/trunk/classes/sentinel.class.php
r498844 r499330 1 1 <?php 2 /*************************************************************************** 3 * @brief WP-Sentinel - Wordpress Security System . * 4 * @author Simone Margaritelli (aka evilsocket) <evilsocket@gmail.com> * 5 * * 6 * * 7 * This program is free software; you can redistribute it and/or modify * 8 * it under the terms of the GNU General Public License as published by * 9 * the Free Software Foundation; either version 2 of the License, or * 10 * (at your option) any later version. * 11 * * 12 * This program is distributed in the hope that it will be useful, * 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of * 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 15 * GNU General Public License for more details. * 16 * * 17 * You should have received a copy of the GNU General Public License * 18 * along with this program; if not, write to the * 19 * Free Software Foundation, Inc., * 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 ***************************************************************************/ 2 /*************************************************************************** 3 * @brief WP-Sentinel - Wordpress Security System . * 4 * @author Simone Margaritelli (aka evilsocket) <evilsocket@gmail.com> * 5 * * 6 * * 7 * This program is free software; you can redistribute it and/or modify * 8 * it under the terms of the GNU General Public License as published by * 9 * the Free Software Foundation; either version 2 of the License, or * 10 * (at your option) any later version. * 11 * * 12 * This program is distributed in the hope that it will be useful, * 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of * 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 15 * GNU General Public License for more details. * 16 * * 17 * You should have received a copy of the GNU General Public License * 18 * along with this program; if not, write to the * 19 * Free Software Foundation, Inc., * 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 ***************************************************************************/ 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 22 24 23 25 define( 'HAVE_GPC', ( function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() ) ); … … 29 31 class WPSentinel 30 32 { 31 const VERSION = '2.0 ';33 const VERSION = '2.0.1'; 32 34 const VERSION_FIELD = 'wp_sentinel_version'; 33 35 … … 189 191 return self::$oInstance; 190 192 } 193 194 public static function isBlogAdmin() 195 { 196 return isset( self::getInstance()->aEnvironment['USER']->caps['administrator'] ) && self::getInstance()->aEnvironment['USER']->caps['administrator'] == 1; 197 } 191 198 192 199 public static function addAlarm( $sScope, $sVariableName, $sVariableData, $sAlarmDescription, $sRule ) … … 278 285 { 279 286 /* disable caching for this page */ 280 define( 'DONOTCACHEPAGE', TRUE );281 define( 'WP_CACHE', FALSE );287 @define( 'DONOTCACHEPAGE', TRUE ); 288 @define( 'WP_CACHE', FALSE ); 282 289 283 290 header('HTTP/1.1 403 Forbidden'); … … 389 396 390 397 closedir($hDir); 391 } 398 } 392 399 } 393 400 394 401 public function run() 395 402 { 396 if( $this->isEnabled() == FALSE ) 397 return; 398 399 $sAddress = self::getAddress(); 400 403 if( $this->isEnabled() == FALSE ) 404 return; 405 406 $sAddress = self::getAddress(); 407 408 /* 409 * First of all, check if the address is banned. 410 */ 411 if( $this->isBanned( $sAddress ) && !self::isBlogAdmin() ) 412 $this->render( WPSReport::FORMAT_BANNED ); 413 414 /* 415 * Run pre hooks. 416 */ 417 $aPreHooksResults = $this->runHooks( IWPSHook::PRE_HOOK ); 418 419 // Do we have a ban action ? 420 if( in_array( IWPSHook::ACTION_BAN, $aPreHooksResults ) && !self::isBlogAdmin() ) 421 { 422 $this->addBan($sAddress); 423 $this->render( WPSReport::FORMAT_BANNED ); 424 } 425 // If none of the pre hooks specified to skip the rules checks ... 426 else if( in_array( IWPSHook::ACTION_SKIP, $aPreHooksResults ) == FALSE ) 427 { 401 428 /* 402 * First of all, check if the address is banned. 403 */ 404 if( $this->isBanned( $sAddress ) ) 405 $this->render( WPSReport::FORMAT_BANNED ); 406 407 /* 408 * Run pre hooks. 429 * Perform basic rules check for normal users (both logged and not logged). 409 430 */ 410 $aPreHooksResults = $this->runHooks( IWPSHook::PRE_HOOK ); 411 412 // Do we have a ban action ? 413 if( in_array( IWPSHook::ACTION_BAN, $aPreHooksResults ) ) 414 { 415 $this->addBan($sAddress); 416 $this->render( WPSReport::FORMAT_BANNED ); 417 } 418 // If none of the pre hooks specified to skip the rules checks ... 419 else if( in_array( IWPSHook::ACTION_SKIP, $aPreHooksResults ) == FALSE ) 420 { 421 /* 422 * Perform basic rules check for normal users (both logged and not logged). 423 */ 424 foreach( self::$aScopes as $sScope ) 425 { 426 $aData = $this->aEnvironment[$sScope]; 427 // loop each request variable 428 foreach( $aData as $sName => $sValue ) 431 foreach( self::$aScopes as $sScope ) 432 { 433 $aData = $this->aEnvironment[$sScope]; 434 // loop each request variable 435 foreach( $aData as $sName => $sValue ) 436 { 437 // skip whitelisted variables 438 if( in_array( $sName, $this->oConfiguration->whitelist ) ) 439 continue; 440 441 /* loop each rule */ 442 foreach( $this->aRules as $oRule ) 443 { 444 // do we have a match? 445 if( preg_match( '/'.$oRule->pattern.'/i', $sValue ) ) 446 { 447 // Run ALARM hooks 448 $aAlarmHooksResults = $this->runHooks( IWPSHook::ALARM_HOOK, array( $sName, $sValue, $oRule ) ); 449 // Do we have a ban action ? 450 if( in_array( IWPSHook::ACTION_BAN, $aAlarmHooksResults ) ) 429 451 { 430 // skip whitelisted variables 431 if( in_array( $sName, $this->oConfiguration->whitelist ) ) 432 continue; 433 434 /* loop each rule */ 435 foreach( $this->aRules as $oRule ) 436 { 437 // do we have a match? 438 if( preg_match( '/'.$oRule->pattern.'/i', $sValue ) ) 439 { 440 // Run ALARM hooks 441 $aAlarmHooksResults = $this->runHooks( IWPSHook::ALARM_HOOK, array( $sName, $sValue, $oRule ) ); 442 // Do we have a ban action ? 443 if( in_array( IWPSHook::ACTION_BAN, $aAlarmHooksResults ) ) 444 { 445 $this->addBan($sAddress); 446 $this->render( WPSReport::FORMAT_BANNED ); 447 } 448 // Add the alarm only if ACTION_SKIP was not specified by any hook 449 else if( in_array( IWPSHook::ACTION_SKIP, $aAlarmHooksResults ) == FALSE ) 450 $this->oReport->addAlarm( $sScope, $sName, $sValue, $oRule->type, $oRule->pattern ); 451 } 452 } 452 $this->addBan($sAddress); 453 $this->render( WPSReport::FORMAT_BANNED ); 453 454 } 454 } 455 // Add the alarm only if ACTION_SKIP was not specified by any hook 456 else if( in_array( IWPSHook::ACTION_SKIP, $aAlarmHooksResults ) == FALSE ) 457 $this->oReport->addAlarm( $sScope, $sName, $sValue, $oRule->type, $oRule->pattern ); 458 } 459 } 460 } 455 461 } 456 462 457 463 if( $this->oReport->hasAlarms() ) 458 464 { 459 // is autoban enabled ? 460 if( $this->oConfiguration->autoban ) 461 { 462 // if current hits + total hits >= max attacks then ban this guy 463 if( ( $this->getHits($sAddress) + $this->oReport->entries() ) >= $this->oConfiguration->ban_attacks ) 464 $this->addBan( $sAddress ); 465 } 466 467 // log and notify only if we are not getting flooded 468 if( $this->isFlooding( $sAddress ) == FALSE ) 469 { 470 // handle logging 471 if( $this->oConfiguration->logging ) 472 $this->oReport->log(); 473 474 // handle email notification 475 if( $this->oConfiguration->notification ) 476 { 477 $sAdminEmail = get_bloginfo("admin_email"); 478 $sMessage = $this->oReport->get( WPSReport::FORMAT_EMAIL ); 479 $sSubject = 'WP-Sentinel Alarm Report'; 480 $sHeaders = "From: $sAdminEmail\r\n" . 481 "X-Mailer: PHP/".phpversion(); 482 483 @mail( $sAdminEmail, $sSubject, $sMessage, $sHeaders ); 484 } 485 } 486 487 $this->render( WPSReport::FORMAT_USER ); 488 } 465 // is autoban enabled ? 466 if( $this->oConfiguration->autoban ) 467 { 468 // if current hits + total hits >= max attacks then ban this guy 469 if( ( $this->getHits($sAddress) + $this->oReport->entries() ) >= $this->oConfiguration->ban_attacks ) 470 $this->addBan( $sAddress ); 471 } 472 473 // log and notify only if we are not getting flooded 474 if( $this->isFlooding( $sAddress ) == FALSE ) 475 { 476 // handle logging 477 if( $this->oConfiguration->logging ) 478 $this->oReport->log(); 479 480 // handle email notification 481 if( $this->oConfiguration->notification ) 482 { 483 $sAdminEmail = get_bloginfo("admin_email"); 484 $sMessage = $this->oReport->get( WPSReport::FORMAT_EMAIL ); 485 $sSubject = 'WP-Sentinel Alarm Report'; 486 $sHeaders = "From: $sAdminEmail\r\n" . 487 "X-Mailer: PHP/".phpversion(); 488 489 @mail( $sAdminEmail, $sSubject, $sMessage, $sHeaders ); 490 } 491 } 492 493 $this->render( WPSReport::FORMAT_USER ); 494 } 495 } 489 496 } 490 497 -
wp-sentinel/trunk/hooks/allowed-file.hook.php
r498844 r499330 20 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 21 ***************************************************************************/ 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 22 24 23 25 class AllowedFileHook implements IWPSHook -
wp-sentinel/trunk/hooks/allowed-tags.hook.php
r498844 r499330 3 3 * @brief WP-Sentinel - Wordpress Security System . * 4 4 * @author Simone Margaritelli (aka evilsocket) <evilsocket@gmail.com> * 5 * *5 * * 6 6 * * 7 7 * This program is free software; you can redistribute it and/or modify * … … 20 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 21 ***************************************************************************/ 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 22 24 23 25 class AllowedTagsHook implements IWPSHook -
wp-sentinel/trunk/hooks/check-bruteforce.hook.php
r498844 r499330 20 20 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * 21 21 ***************************************************************************/ 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 22 24 23 25 class CheckBruteforceHook implements IWPSHook -
wp-sentinel/trunk/hooks/isadmin.hook.php
r498844 r499330 21 21 ***************************************************************************/ 22 22 23 if( !defined('WPS_INCLUDE') ){ die (); } 24 23 25 class IsAdminHook implements IWPSHook 24 26 { … … 29 31 30 32 public function run( $mArg ) 31 { 32 // if the user is an administrator 33 if( isset($this->aEnv["USER"]->user_level) ) 33 { 34 // if the user is an administrator 35 if( WPSentinel::isBlogAdmin() ) 36 { 37 // if the request target is the admin panel, perform cross site request forgery checking 38 if( preg_match( '|/wp\-admin/|i', $_SERVER["REQUEST_URI"] ) ) 34 39 { 35 // if the request target is the admin panel, perform cross site request forgery checking 36 if( preg_match( '|/wp\-admin/|i', $_SERVER["REQUEST_URI"] ) ) 40 // any post request ? 41 if( count( array_diff( array_values($this->aEnv['POST']), array('') ) ) ) 42 { 43 $sValidReferer = get_bloginfo('wpurl'); 44 $sValidRefererRule = '^'.preg_quote( $sValidReferer, '/' ); 45 46 // referer not set or not allowed to POST to the admin panel 47 if( !isset($_SERVER['HTTP_REFERER']) || !preg_match( "/$sValidRefererRule/i", $_SERVER['HTTP_REFERER'] ) ) 37 48 { 38 // any post request ? 39 if( count( array_diff( array_values($this->aEnv['POST']), array('') ) ) ) 40 { 41 $sValidReferer = get_bloginfo('wpurl'); 42 $sValidRefererRule = '^'.preg_quote( $sValidReferer, '/' ); 49 // add CSRF alarm!!! 50 WPSentinel::addAlarm( 'HTTP_REFERER', 'HTTP_REFERER', $_SERVER['HTTP_REFERER'], 'invalid or null referer for wordpress administration panel request', $sValidRefererRule ); 43 51 44 // referer not set or not allowed to POST to the admin panel 45 if( !isset($_SERVER['HTTP_REFERER']) || !preg_match( "/$sValidRefererRule/i", $_SERVER['HTTP_REFERER'] ) ) 46 { 47 // add CSRF alarm!!! 48 WPSentinel::addAlarm( 'HTTP_REFERER', 'HTTP_REFERER', $_SERVER['HTTP_REFERER'], 'invalid or null referer for wordpress administration panel request', $sValidRefererRule ); 49 50 return self::ACTION_ALARM; 51 } 52 } 52 return self::ACTION_ALARM; 53 53 } 54 55 // User is an admin and no alarm was triggered, skip next rules checkings. 56 return self::ACTION_SKIP; 54 } 57 55 } 58 56 59 return self::ACTION_NONE; 57 // User is an admin and no alarm was triggered, skip next rules checkings. 58 return self::ACTION_SKIP; 59 } 60 61 return self::ACTION_NONE; 60 62 } 61 63 } -
wp-sentinel/trunk/readme.txt
r498849 r499330 4 4 Donate link: http://www.evilsocket.net/ 5 5 Plugin URI: http://www.evilsocket.net/ 6 Tags: security, hack, ids, ips, exploit, protection, guard, hackers, hacker, bruteforcing, flood, csrf, cross site request forgery, xss, cross site scripting, rfi, remote file inclusion, lfi, local file inclusion, sql injection, sqli6 Tags: security, hack, ids, ips, exploit, security, safe, protection, guard, hackers, hacker, bruteforcing, flood, csrf, cross site request forgery, xss, cross site scripting, rfi, remote file inclusion, lfi, local file inclusion, sql injection, sqli 7 7 Requires at least: 2.8 8 8 Tested up to: 3.3.1 9 Stable tag: 2.0 9 Stable tag: 2.0.1 10 10 11 11 A wordpress security system plugin which will check every HTTP request against a given set of rules to filter out malicious requests. … … 25 25 * HTML Injections 26 26 * Remote File Inclusions 27 * Remote Command Executions 27 28 * Local File Inclusions 28 29 * SQL Injections 30 * Integer & string overflows 29 31 * Cross Site Request Forgery 30 32 * Login bruteforcing 31 33 * Flooding 34 * ... and so on :) 32 35 33 36 WP-Sentinel will NOT check requests from the user logged in as administrator, so if you want to check the installation you have to log out first. … … 54 57 55 58 == Changelog == 59 60 = 2.0.1 = 61 * Implemented a full set of rules, tnx to PHPIDS guys. 62 * Fixed routine which checks if the user is an admin. 63 * Fixed issue that caused many other plugins such as JeyPack, WP Stats and so on not to work. 64 * Fixed issue that caused the admin to be banned. 65 * Fixed minor issues that caused php notices. 66 * Fixed admin html. 56 67 57 68 = 2.0.0 = -
wp-sentinel/trunk/rules.json
r498844 r499330 1 [{" label":"XSS","type":"script or html injection","pattern":"<[^>]*(script|object|iframe|applet|meta|style|form|img|onmouseover|body)*\"?[^>]*>"},{"label":"RFI","type":"remote file inclusion","pattern":"^(http|https|ftp|webdav)[\\s]*:[\\s]*\\\/[\\s]*\\\/[\\s]*.*\\\/.*\\?"},{"label":"LFI","type":"local file inclusion","pattern":"\\.+\\\/+"},{"label":"SQL","type":"sql injection","pattern":"(;)?[\\s]*insert.+into.+value.+"},{"label":"SQL","type":"sql injection","pattern":"(;)?[\\s]*(drop,alter,create).+(index,table,database)"},{"label":"SQL","type":"sql injection","pattern":"update.+set.*="},{"label":"SQL","type":"sql injection","pattern":"union.+(all)?.*select"}]1 [{"type":"html breaking injections including whitespace attacks","label":"XSS","pattern":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")"},{"type":"attribute breaking injections including whitespace attacks","label":"XSS","pattern":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\s*\\w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])"},{"type":"unquoted attribute breaking injections","label":"XSS","pattern":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)"},{"type":"url-, name-, JSON, and referrer-contained payload attacks","label":"XSS","pattern":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:>]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])"},{"type":"hash-contained xss payload attacks, setter usage and property overloading","label":"XSS","pattern":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)"},{"type":"self contained xss via with(), common loops and regex to string conversion","label":"XSS","pattern":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)"},{"type":"JavaScript with(), ternary operators and XML predicate attacks","label":"XSS","pattern":"(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)"},{"type":"self-executing JavaScript functions","label":"XSS","pattern":"(?:\\\/\\w*\\s*\\)\\s*\\()|(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)"},{"type":"the IE octal, hex and unicode entities","label":"XSS","pattern":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})"},{"type":"basic directory traversal","label":"DT","pattern":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})"},{"type":"specific directory and path traversal","label":"DT","pattern":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"},{"type":"etc\/passwd inclusion attempts","label":"DT","pattern":"(?:etc\\\/\\W*passwd)"},{"type":"halfwidth\/fullwidth encoded unicode HTML breaking attempts","label":"XSS","pattern":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)"},{"type":"possible includes, VBSCript\/JScript encodeed and packed functions","label":"XSS","pattern":"(?:#@~\\^\\w+)|(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))"},{"type":"JavaScript DOM\/miscellaneous properties and methods","label":"XSS","pattern":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|(?:ms)?setimmediate|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))"},{"type":"possible includes and typical script methods","label":"XSS","pattern":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<![a-mo-z]\\s)(?<![a-z\\\/_@])(\\s*return\\s*)?(?:alert|inputbox|showmod(?:al|eless)dialog|showhelp|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))"},{"type":"JavaScript object properties and methods","label":"XSS","pattern":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%.+\\-]))"},{"type":"JavaScript array properties and methods","label":"XSS","pattern":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))"},{"type":"JavaScript string properties and methods","label":"XSS","pattern":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))"},{"type":"JavaScript language constructs","label":"XSS","pattern":"(?:\\)\\s*\\[)|([^*\":\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z_@\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\\s*(?:each)?|elseif|case|switch|regex|boolean|location|(?:ms)?setimmediate|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\".+\\-\\\/]))"},{"type":"very basic XSS probings","label":"XSS","pattern":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z\\\/_@])(\\s*return\\s*)?(?:(?:document\\s*\\.)?(?:.+\\\/)?(?:alert|eval|msgbox|showmod(?:al|eless)dialog|showhelp|prompt|write(?:ln)?|confirm|dialog|open))\\s*(?:[^.a-z\\s\\-]|(?:\\s*[^\\s\\w,.@\\\/+-]))|(?:java[\\s\\\/]*\\.[\\s\\\/]*lang)|(?:\\w\\s*=\\s*new\\s+\\w+)|(?:&\\s*\\w+\\s*\\)[^,])|(?:\\+[\\W\\d]*new\\s+\\w+[\\W\\d]*\\+)|(?:document\\.\\w)"},{"type":"advanced XSS probings via Script(), RexExp, constructors and XML namespaces","label":"XSS","pattern":"(?:=\\s*(?:top|this|window|content|self|frames|_content))|(?:\\\/\\s*[gimx]*\\s*[)}])|(?:[^\\s]\\s*=\\s*script)|(?:\\.\\s*constructor)|(?:default\\s+xml\\s+namespace\\s*=)|(?:\\\/\\s*\\+[^+]+\\s*\\+\\s*\\\/)"},{"type":"JavaScript location\/document property access and window access obfuscation","label":"XSS","pattern":"(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)"},{"type":"basic obfuscated JavaScript script injections","label":"XSS","pattern":"(?:[\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\"])|(?:\\\/[\\w\\s]+\\\/\\.)|(?:=\\s*\\\/\\w+\\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])"},{"type":"obfuscated JavaScript script injections","label":"XSS","pattern":"(?:=\\s*[$\\w]\\s*[\\(\\[])|(?:\\(\\s*(?:this|top|window|self|parent|_?content)\\s*\\))|(?:src\\s*=s*(?:\\w+:|\\\/\\\/))|(?:\\w+\\[(\"\\w+\"|\\w+\\|\\|))|(?:[\\d\\W]\\|\\|[\\d\\W]|\\W=\\w+,)|(?:\\\/\\s*\\+\\s*[a-z\"])|(?:=\\s*\\$[^([]*\\()|(?:=\\s*\\(\\s*\")"},{"type":"JavaScript cookie stealing and redirection attempts","label":"XSS","pattern":"(?:[^:\\s\\w]+\\s*[^\\w\\\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\\w])"},{"type":"data: URL injections, VBS injections and common URI schemes","label":"XSS","pattern":"(?:(?:vbs|vbscript|data):.*[,+])|(?:\\w+\\s*=\\W*(?!https?)\\w+:)|(jar:\\w+:)|(=\\s*\"?\\s*vbs(?:ript)?:)|(language\\s*=\\s?\"?\\s*vbs(?:ript)?)|on\\w+\\s*=\\*\\w+\\-\"?"},{"type":"IE firefoxurl injections, cache poisoning attempts and local file inclusion\/execution","label":"XSS","pattern":"(?:firefoxurl:\\w+\\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\\s*:\\s*[%&#xu\\\/]+)|(wyciwyg|firefoxurl\\s*:\\s*\\\/\\s*\\\/)"},{"type":"bindings and behavior injections","label":"XSS","pattern":"(?:binding\\s?=|moz-binding|behavior\\s?=)|(?:[\\s\\\/]style\\s*=\\s*[-\\\\])"},{"type":"common XSS concatenation patterns 1\/2","label":"XSS","pattern":"(?:=\\s*\\w+\\s*\\+\\s*\")|(?:\\+=\\s*\\(\\s\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\"\\s*\\+\\s*\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\"\\s*[&|]+\\s*\")|(?:\\\/\\s*\\?\\s*\")|(?:\\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\\/)"},{"type":"common XSS concatenation patterns 2\/2","label":"XSS","pattern":"(?:=\\s*\\d*\\.\\d*\\?\\d*\\.\\d*)|(?:[|&]{2,}\\s*\")|(?:!\\d+\\.\\d*\\?\")|(?:\\\/:[\\w.]+,)|(?:=[\\d\\W\\s]*\\[[^]]+\\])|(?:\\?\\w+:\\w+)"},{"type":"possible event handlers","label":"XSS","pattern":"(?:[^\\w\\s=]on(?!g\\>)\\w+[^=_+-]*=[^$]+(?:\\W|\\>)?)"},{"type":"obfuscated script tags and XML wrapped HTML","label":"","pattern":"(?:\\<\\w*:?\\s(?:[^\\>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)"},{"type":"attributes in closing tags and conditional compilation tokens","label":"XSS","pattern":"(?:\\<\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])"},{"type":"common comment types","label":"XSS","pattern":"(?:--[^\\n]*$)|(?:\\<!-|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[\\W)|(?:\\]!>)"},{"type":"base href injections and XML entity injections","label":"XSS","pattern":"(?:\\<base\\s+)|(?:<!(?:element|entity|\\[CDATA))"},{"type":"possibly malicious html elements including some attributes","label":"XSS","pattern":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))"},{"type":"nullbytes and other dangerous characters","label":"XSS","pattern":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])"},{"type":"MySQL comments, conditions and ch(a)r injections","label":"SQLI","pattern":"(?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()"},{"type":"conditional SQL injection attempts","label":"SQLI","pattern":"(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])"},{"type":"classic SQL injection probings 1\/2","label":"SQLI","pattern":"(?:\"\\s*or\\s*\"?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)|(?:\\Winformation_schema|table_name\\W)"},{"type":"classic SQL injection probings 2\/2","label":"SQLI","pattern":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[^\\d]+[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[^\\w\\s]+\"[^,])"},{"type":"basic SQL authentication bypass attempts 1\/3","label":"SQLI","pattern":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\")"},{"type":"basic SQL authentication bypass attempts 2\/3","label":"SQLI","pattern":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()"},{"type":"basic SQL authentication bypass attempts 3\/3","label":"SQLI","pattern":"(?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")"},{"type":"concatenated basic SQL injection and SQLLFI attempts","label":"SQLI","pattern":"(?:[\\d\\W]\\s+as\\s*[\"\\w]+\\s*from)|(?:^[\\W\\d]+\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)|(?:[\\s(]load_file\\s*\\()"},{"type":"chained SQL injection attempts 1\/2","label":"SQLI","pattern":"(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*or\\s*\\d+\\s*[\\-+])|(?:\\\/\\w+;?\\s+(?:having|and|or|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[\"=()])"},{"type":"chained SQL injection attempts 2\/2","label":"SQLI","pattern":"(?:\"\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()|(?:[\\s(]+case\\d*\\W.+[tw]hen[\\s(])"},{"type":"SQL benchmark and sleep injection attempts including conditional queries","label":"SQLI","pattern":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*\\(?\\s*\\w+)"},{"type":"MySQL UDF injection and other data\/structure manipulation attempts","label":"SQLI","pattern":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})"},{"type":"MySQL charset switch and MSSQL DoS attempts","label":"SQLI","pattern":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)"},{"type":"MySQL and PostgreSQL stored procedure\/function injections","label":"SQLI","pattern":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)"},{"type":"Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","label":"SQLI","pattern":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))"},{"type":"MSSQL code execution and information gathering attempts","label":"SQLI","pattern":"(?:\\sexec\\s+xp_cmdshell)|(?:\"\\s*!\\s*[\"\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")"},{"type":"MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","label":"SQLI","pattern":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s*having\\s*[^\\s\\-])|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()"},{"type":"MySQL comment-\/space-obfuscated injections and backtick termination","label":"SQLI","pattern":"(?:,.*[)\\da-f\"]\"(?:\".*\"|\\Z|[^\"]+))|(?:\\Wselect.+\\W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()"},{"type":"code injection attempts 1\/3","label":"ID","pattern":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()"},{"type":"code injection attempts 2\/3","label":"ID","pattern":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])"},{"type":"code injection attempts 3\/3","label":"ID","pattern":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)"},{"type":"url injections and RFE attempts","label":"ID","pattern":"(?:\\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)"},{"type":"common function declarations and special JS operators","label":"ID","pattern":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\\w.]+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)"},{"type":"common mail header injections","label":"ID","pattern":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)"},{"type":"perl echo shellcode injection and LDAP vectors","label":"LFI","pattern":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)"},{"type":"basic XSS DoS attempts","label":"RFE","pattern":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})"},{"type":"attribute breaking injections including obfuscated attributes","label":"XSS","pattern":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*>))"},{"type":"basic VBScript injection attempts","label":"XSS","pattern":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))"},{"type":"basic MongoDB SQL injection attempts","label":"","pattern":"(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\\])"},{"type":"malicious attribute injection attempts and MHTML attacks","label":"XSS","pattern":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style|poster|background)=[$\"\\w])|(?:-type\\s*:\\s*multipart)"},{"type":"blind sqli tests using sleep() or benchmark().","label":"SQLI","pattern":"(?:(sleep\\((\\s*)(\\d*)(\\s*)\\)|benchmark\\((.*)\\,(.*)\\)))"},{"type":"attacker is trying to locate a file to read or write.","label":"FILES","pattern":"(?i:(\\%SYSTEMROOT\\%))"},{"type":"remote code exectuion tests. Will match \"ping -n 3 localhost\" and \"ping localhost -n 3\"","label":"COMMAND EXECUTION","pattern":"(?i:(ping(.*)[\\-(.*)\\w|\\w(.*)\\-]))"},{"type":"for a format string attack","label":"","pattern":"(?:(((.*)\\%[c|d|i|e|f|g|o|s|u|x|p|n]){8}))"},{"type":"for basic sql injection. Common attack string for mysql, oracle and others.","label":"SQLI","pattern":"(?:(union(.*)select(.*)from))"},{"type":"for intiger overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the \"magic number\" crash","label":"SQLI","pattern":"(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)"}] -
wp-sentinel/trunk/wp-sentinel.php
r498844 r499330 3 3 Plugin Name: WP-Sentinel 4 4 Plugin URI: http://lab.evilsocket.net/ 5 Version: 2.0 5 Version: 2.0.1 6 6 Author: Simone Margaritelli aka evilsocket 7 7 Description: WordPress security system. … … 28 28 ***************************************************************************/ 29 29 30 define( 'WPS_INCLUDE', 1 ); 31 30 32 /* 31 33 * Register WP-Sentinel main function. … … 50 52 function wp_sentinel_enqueue_scripts() 51 53 { 52 53 54 55 54 wp_enqueue_script( 'thickbox' ); 55 wp_enqueue_script( 'facebox', WPS_ADMIN_URL.'js/facebox.js', array('jquery') ); 56 wp_enqueue_script( 'facebox-start', WPS_ADMIN_URL.'js/start.js', array('facebox') ); 57 wp_enqueue_script( 'tooltip', WPS_ADMIN_URL.'js/tooltip.js', array('jquery') ); 56 58 } 57 59 58 60 /* 59 61 * Enqueue plugin css. … … 71 73 function wp_sentinel_run() 72 74 { 73 74 75 76 75 global $wpdb; 76 77 $oSentinel = new WPSentinel( $wpdb ); 78 $oSentinel->run(); 77 79 } 78 80
Note: See TracChangeset
for help on using the changeset viewer.