Default Deny Rules

Deny Rule Group - (default) SQL Injection (SQLi) in Parameter Value

The group contains SQL injection deny rules for parameter values. The security level Basic prevents injection of new SQL statements (e.g. ; DROP TABLE) and set operations (e.g. UNION SELECT). The security level Standard further prevents injection of SQL sub queries and SQL expressions in single quote context (e.g. ' or 1=1--). The security level Strict further prevents SQLi in unquoted context (e.g. 1 or 1).

SQLI_PARAM_VALUE:

Rule name	Basic	Standard	Strict
(default SQL_001A) Expression in unquoted context in parameter value			x
(default SQL_005A) Expression in quoted context in parameter value		x	x
(default SQL_020A) Statement in C style comment tag in parameter value	x	x	x
(default SQL_025A) New statement in unquoted context in parameter value		x	x
(default SQL_030A) New statement in quoted context in parameter value	x	x	x
(default SQL_040A) Sub query in bracket context in parameter value			x
(default SQL_045A) Sub query in parameter value		x	x
(default SQL_050A) Condition elimination in unquoted context in parameter value			x
(default SQL_055A) Condition elimination in quoted context in parameter value		x	x
(default SQL_060A) Set operator in parameter value	x	x	x
(default SQL_065A) Special SQL keywords		x	x

Deny Rule Group - (default) SQL Injection (SQLi) in Header Value

The group contains SQL injection deny rules for header values. The security level Basic prevents injection of new SQL statements (e.g. ; DROP TABLE) and set operations (e.g. UNION SELECT). The security level Standard further prevents injection of SQL sub queries and SQL expressions in single quote context (e.g. ' or 1=1--). The security level Strict further prevents SQLi in unquoted context (e.g. 1 or 1).

SQLI_HEADER_VALUE:

Rule name	Basic	Standard	Strict
(default SQL_001B) Expression in unquoted context in HTTP header value			x
(default SQL_005B) Expression in quoted context in HTTP header value		x	x
(default SQL_020B) Statement in C style comment tag in HTTP header value	x	x	x
(default SQL_025B) New statement in unquoted context in HTTP header value		x	x
(default SQL_030B) New statement in quoted context in HTTP header value	x	x	x
(default SQL_040B) Sub query in bracket context in HTTP header value			x
(default SQL_045B) Sub query in HTTP header value		x	x
(default SQL_050B) Condition elimination in unquoted context in HTTP header value			x
(default SQL_055B) Condition elimination in quoted context in HTTP header value		x	x
(default SQL_060B) Set operator in HTTP header value	x	x	x
(default SQL_065B) Special SQL keywords		x	x

Deny Rule Group - (default) Cross-Site Scripting (XSS) in Parameter Value

The group contains XSS deny rules for parameter values. The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload"). The security level Standard prevents injection of JavaScript code in quoted context. The security level Strict prevents injection of JavaScript code in unquoted context.

XSS_PARAM_VALUE:

Rule name	Basic	Standard	Strict
(default XSS_001A) Source attribute of critical HTML tag in parameter value	x	x	x
(default XSS_005A) HTML script tag in parameter value	x	x	x
(default XSS_020A) Injection in link attributes in parameter value		x	x
(default XSS_025A) Refresh rate manipulation in parameter value		x	x
(default XSS_030A) JavaScript in quoted context in parameter value		x	x
(default XSS_035A) JavaScript in unquoted context in parameter value			x
(default XSS_040A) HTML event handler in parameter value	x	x	x
(default XSS_050A) CSS expression in parameter value		x	x
(default XSS_055A) XSS filter evasion using arrays and objects in parameter value		x	x

Deny Rule Group - (default) Cross-Site Scripting (XSS) in Header Value

The group contains XSS deny rules for HTTP header values. The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload"). The security level Standard prevents injection of JavaScript code in quoted context. The security level Strict prevents injection of JavaScript code in unquoted context.

XSS_HEADER_VALUE:

Rule name	Basic	Standard	Strict
(default XSS_001B) Source attribute of critical HTML tag in HTTP header value	x	x	x
(default XSS_005B) HTML script tag in HTTP header value	x	x	x
(default XSS_020B) Injection in link attributes in HTTP header value		x	x
(default XSS_025B) Refresh rate manipulation in HTTP header value		x	x
(default XSS_030B) JavaScript in quoted context in HTTP header value		x	x
(default XSS_040B) HTML event handler in HTTP header value	x	x	x
(default XSS_050B) CSS expression in HTTP header value		x	x
(default XSS_055B) XSS filter evasion using arrays and objects in HTTP header value		x	x

Deny Rule Group - (default) Cross-Site Scripting (XSS) in Path

The group contains XSS deny rules for HTTP paths. The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload"). The security level Standard prevents injection of JavaScript code in quoted context. The security level Strict prevents injection of JavaScript code in unquoted context.

XSS_PATH:

Rule name	Basic	Standard	Strict
(default XSS_001C) Source attribute of critical HTML tag in path	x	x	x
(default XSS_005C) HTML script tag in path	x	x	x
(default XSS_040C) HTML eventhandler in path	x	x	x

Deny Rule Group - (default) Template and Expression Language Injection

The group prevents template and expression language injections for various client-side and server-side templating engines.

TI:

Rule name	Standard	Strict
(default TI_001A) Template injection in parameter value	x	x
(default TI_001B) Template injection in HTTP header value	x	x
(default TI_001C) Template injection in path	x	x
(default TI_001D) Template injection in parameter name	x	x
(default TI_002A) Expression Language injection in parameter value	x	x
(default TI_002B) Expression Language injection in HTTP header value	x	x
(default TI_002C) Expression Language injection in path	x	x
(default TI_002D) Expression Language injection in parameter name	x	x

Deny Rule Group - (default) HTML Injection in Parameter Value

The group prevents HTML injection through HTTP parameter values. The security level Basic does not prevent any HTML injection. The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="url"). The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.

Rule name	Standard	Strict
(default HTML_001A) HTML tag in parameter value		x
(default HTML_002A) Known HTML tag in parameter value	x
(default HTML_003A) HTML attribute in quoted context in parameter value		x
(default HTML_004A) Known HTML attribute in quoted context in parameter value	x

Deny Rule Group - (default) HTML Injection in Header Value

The group prevents HTML injection through HTTP header values. The security level Basic does not prevent any HTML injection. The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="url"). The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.

HTML_HEADER_VALUE:

Rule name	Standard	Strict
(default HTML_001B) HTML tag in HTTP header value		x
(default HTML_002B) Known HTML tag in HTTP header value	x
(default HTML_003B) HTML attribute in quoted context in HTTP header value		x
(default HTML_004B) Known HTML attribute in quoted context in HTTP header value	x

Deny Rule Group - (default) HTML Injection in Path

The group prevents HTML injection through HTTP paths. The security level Basic does not prevent any HTML injection. The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="url"). The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.

HTML_PATH:

Rule name	Standard	Strict
(default HTML_001C) HTML tag in path		x
(default HTML_002C) Known HTML tag in path	x
(default HTML_003C) HTML attribute in quoted context in path		x
(default HTML_004C) Known HTML attribute in quoted context in path	x

Deny Rule Group - (default) UNIX Command Injection in Parameter Value

The group contains deny rules preventing UNIX command injections through HTTP parameter values.

UNIXCMD_PARAM_VALUE:

Rule name	Basic	Standard	Strict
(default UNIX_001A) Bash command injection exploiting Shellshock bug in parameter value	x	x	x
(default UNIX_005A) UNIX command injection in quoted context in parameter value		x	x
(default UNIX_006A) UNIX command injection in quoted context (strict) in parameter value			x
(default UNIX_010A) UNIX command injection in unquoted context in parameter value			x

Deny Rule Group - (default) UNIX Command Injection in Header Value

The group contains deny rules preventing UNIX command injections through HTTP header values.

UNIXCMD_HEADER_VALUE:

Rule name	Basic	Standard	Strict
(default UNIX_001B) Bash command injection exploiting Shellshock bug in HTTP header value	x	x	x
(default UNIX_005B) UNIX command injection in quoted context in HTTP header value		x	x
(default UNIX_006B) UNIX command injection in quoted context (strict) in HTTP header value			x
(default UNIX_010B) UNIX command injection in unquoted context in HTTP header value			x

Deny Rule Group - (default) Windows Command Injection in Parameter Value

The group contains deny rules preventing Windows command injections through HTTP parameter values.

WINCMD_PARAM_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default WIN_015A) Windows command injection in quoted context in parameter value			x	x
(default WIN_020A) Windows command injection in unquoted context in parameter value				x

Deny Rule Group - (default) Windows Command Injection in Header Value

The group contains deny rules preventing Windows command injections through HTTP header values.

WINCMD_HEADER_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default WIN_015B) Windows command injection in quoted context in HTTP header value			x	x
(default WIN_020B) Windows command injection in unquoted context in HTTP header value				x

Deny Rule Group - (default) LDAP Injection in Parameter Value

Prevents LDAP query injection in parameter values

LDAP_PARAM_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default LDAP_001A) LDAP query injection in parameter value			x
(default LDAP_002A) LDAP query injection (strict) in parameter value				x

Deny Rule Group - (default) LDAP Injection in Header Value

Prevents LDAP query injection in header values

LDAP_HEADER_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default LDAP_001B) LDAP query injection in HTTP header value			x
(default LDAP_002B) LDAP query injection (strict) in HTTP header value				x

Deny Rule Group - (default) PHP Injection in Parameter Value

Prevents PHP code injection in parameter values

PHP_PARAM_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default PHP_001A) PHP tag injection in parameter value		x	x	x
(default PHP_002A) PHP short tag injection in parameter value			x	x

Deny Rule Group - (default) PHP Injection in Header Value

Prevents PHP code injection in header values

PHP_HEADER_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default PHP_001B) PHP tag injection in HTTP header value		x	x	x
(default PHP_002B) PHP short tag injection in HTTP header value			x	x

Deny Rule Group - (default) Object Graph Navigation Library (OGNL) injection (Apache Struts)

Prevents OGNL injection

OGNL:

Rule name	Basic	Standard	Strict
(default OGNL_001A) Object Graph Navigation Library (OGNL) injection (Apache Struts2) in parameter value	x	x	x
(default OGNL_001B) Object Graph Navigation Library (OGNL) injection (Apache Struts2) in HTTP header value	x	x	x
(default OGNL_001C) Object Graph Navigation Library (OGNL) injection (Apache Struts2) in path	x	x	x

Deny Rule Group - (default) Insecure Direct Object Reference in Parameter Value

The group contains insecure direct object reference deny rules and file inclusion deny rules for parameter values. The security level Basic prevents directory traversal and injection of certain critical files (e.g. /etc/passwd). The security level Standard prevents injection of known top level directory paths (e.g. /etc/) and critical protocol schemes (e.g. "php://). The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe) any absolute Windows and UNIX directory path, any protocol scheme or path in universal naming convention format.

IDOR_PARAM_VALUE:

Rule name	Basic	Standard	Strict
(default DOR_002A) Absolute UNIX path - known top level directory in parameter value		x	x
(default DOR_003A) Absolute UNIX path - environment variables in parameter value		x	x
(default DOR_004A) Absolute UNIX path - critical system files in parameter value	x
(default DOR_005A) Critical application files in parameter value		x	x
(default DOR_006A) Absolute UNIX path - critical application files in parameter value	x
(default DOR_008A) Universal Naming Convention in parameter value			x
(default DOR_009A) Absolute Windows path - common top level directories in parameter value		x	x
(default DOR_010A) Directory traversal for Windows and UNIX in parameter value	x	x	x
(default DOR_011A) Critical file suffixes in parameter value			x
(default DOR_014A) Protocol scheme in parameter value		x	x
(default DOR_015A) Directory traversal or absolute path as parameter in URL in parameter value		x	x

Deny Rule Group - (default) Insecure Direct Object Reference in Path

The group contains insecure direct object reference deny rules and file inclusion deny rules for HTTP paths. The security level Basic and Standard prevents directory traversal and injection of certain critical files (e.g. .htaccess). The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe).

IDOR_PATH:

Rule name	Basic	Standard	Strict
(default DOR_010C) Directory traversal for Windows and UNIX in path	x	x	x
(default DOR_011C) Critical file suffixes in path			x
(default DOR_012C) Critical elements in path	x	x	x

Deny Rule Group - (default) NoSQL Injection in Parameter Name

Prevents NoSQL injection in parameter names

NOSQL_PARAM_NAME:

Rule name	Legacy	Basic	Standard	Strict
(default NOSQL_001D) Operator in JSON in parameter name			x	x
(default NOSQL_010D) NoSQL Operator as PHP Array Key in parameter name			x	x

Deny Rule Group - (default) NoSQL Injection in Parameter Value

Prevents NoSQL injection in parameter values

NOSQL_PARAM_VALUE:

Rule name	Standard	Strict
(default NOSQL_020A) JS Injection in $where clause in parameter value	x	x
(default NOSQL_030A) NoSQL Operator in parameter value	x	x
(default NOSQL_040A) NoSQL Method or Function in parameter value	x	x

Deny Rule Group - (default) NoSQL Injection in Header Value

Prevents NoSQL injection in header values

NOSQL_HEADER_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default NOSQL_030B) NoSQL Operator in HTTP header value			x	x
(default NOSQL_040B) NoSQL Method or Function in HTTP header value			x	x

Deny Rule Group - (default) Parameter Name Sanity

Prevents injection of special encoded characters in parameter names.

SANITY_PARAM_NAME:

Rule name	Basic	Standard	Strict
(default SAN_005D) Sanity check of parameter name	x	x	x
(default SAN_010D) Full-/half-width unicode in parameter name	x	x	x
(default SAN_015D) Non-printable characters in parameter name	x	x	x

Deny Rule Group - (default) Parameter Value Sanity

Prevents injection of special encoded characters in parameter values.

SANITY_PARAM_VALUE:

Rule name	Basic	Standard	Strict
(default SAN_010A) Full-/half-width unicode in parameter value	x	x	x
(default SAN_020A) Non-printable characters in parameter value	x	x
(default SAN_021A) Non-printable characters strict in parameter value			x

Deny Rule Group - (default) Header Name Sanity

Prevents injection of special encoded characters in header names.

SANITY_HEADER_NAME:

Rule name	Legacy	Basic	Standard	Strict
(default SAN_025E) Enforce alphanumeric characters in HTTP header name		x	x	x
(default SAN_055E) Header name longer than 60 characters			x	x

Deny Rule Group - (default) Header Value Sanity

Prevents injection of special encoded characters in header values.

SANITY_HEADER_VALUE:

Rule name	Basic	Standard	Strict
(default SAN_010B) Full-/half-width unicode in HTTP header value	x	x	x
(default SAN_030B) Enforce printable ASCII characters in HTTP header value	x	x	x
(default SAN_040B) Sanity check of Content-Type header value	x	x	x
(default SAN_045B) Sanity check of multipart content-type header value	x	x	x
(default SAN_050B) Unsafe character in HTTP header value			x
(default SAN_060B) Header value longer than 300 characters		x	x
(default SAN_070B) Sanity check of Accept-Encoding header value		x	x
(default SAN_080B) Sanity check of Accept-Language header value		x	x
(default SAN_090B) Sanity check of Accept header value		x	x
(default SAN_100B) Sanity check of Cache-Control header value	x	x	x
(default SAN_110B) Sanity check of Sec-Fetch- headers value		x	x
(default SAN_120B) Sanity check of Range header value		x	x

Deny Rule Group - (default) Path Sanity

Prevents injection of special encoded characters in HTTP paths.

SANITY_PATH:

Rule name	Legacy	Basic	Standard	Strict
(default SAN_010C) Full-/half-width unicode in path		x	x	x
(default SAN_015C) Non-printable characters in path		x	x	x

Deny Rule Group - (default) Encoding and Conversion Exploits in Parameter Value

Prevents injection of special encoded characters, such as double URL encoded characters in parameter values.

ENCONV_PARAM_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default ENC_005A) MIN_VALUE floating point attack in parameter value		x	x	x

Deny Rule Group - (default) Encoding and Conversion Exploits in Header Value

Prevents injection of special encoded characters, such as double URL encoded characters in header values.

ENCONV_HEADER_VALUE:

Rule name	Legacy	Basic	Standard	Strict
(default ENC_005B) MIN_VALUE floating point attack in HTTP header value		x	x	x

Deny Rule Group - (default) HTTP Response Splitting

Prevents HTTP response splitting by blocking injection of an HTML response body or response header.

HRS:

Rule name	Basic	Standard	Strict
(default HPE_005A) Critical response header injection in parameter value	x	x	x
(default HPE_010A) Response body injection in parameter value			x
(default HPE_015A) Critical response body injection in parameter value	x	x

Deny Rule Group - (default) HTTP Parameter Pollution

Prevents HTTP parameter pollution by blocking nested parameters in parameter values.

HPP:

Rule name	Legacy	Basic	Standard	Strict
(default HPE_020A) HTTP parameter pollution in parameter value				x

Deny Rule Group - (default) Miscellanous Exploits

The group prevents injections of special payloads not covered by the other Deny Rule groups.

MISC_EXPLOITS:

Rule name	Basic	Standard	Strict
(default ME_001A) Spring Core RCE Exploit (CVE-2022-22965) in parameter value		x	x
(default ME_001D) Spring Core RCE Exploit (CVE-2022-22965) in parameter name		x	x
(default ME_002B) Spring Cloud RCE Exploit (CVE-2022-22963) in HTTP header value	x	x	x

Deny Rule Group - (default) Automated Scanning

Prevents automated scanning with standard tools

SCANNING:

Rule name	Basic	Standard	Strict
(default AS_001A) SQL injection test with parameter value	x	x	x
(default AS_005A) XSS injection test with parameter value	x	x	x
(default AS_010A) XPath injection test with parameter value	x	x	x
(default AS_015A) OS command injection test with parameter value	x	x	x
(default AS_020A) PHP code injection test with parameter value	x	x	x
(default AS_025A) XML injection test with parameter value	x	x	x
(default AS_050B) Penetration testing tool detection with HTTP header value	x	x	x
(default AS_051A) NoSQL injection test with parameter value	x	x	x
(default AS_052A) Penetration testing tool detection with parameter value	x	x	x