# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.8
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


##############################################################################
# -=[ Charset Checks ]=-
#
# http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
##############################################################################

#
# [ Charset not set ]
#
# - http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms
#
SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:5,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0"
SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:5,t:none,pass,id:'981220',log,msg:'[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'APP_DEFECT/MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms'"
        SecRule RESPONSE_STATUS "@rx ^2" "chain"
                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
			SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);?$)" "chain"
                        	SecRule RESPONSE_BODY "!@rx (?i:(<meta.*?(content|value)=\"text/html;\s?charset=|<\?xml.*?encoding=))" "setvar:global.missing_charset=+1,expirevar:global.missing_charset=86400"

#
# [ Charset not explicitly set to UTF-8 in HTML/XML content ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8
# - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
#
SecRule &GLOBAL:CHARSET_NOT_UTF8 "@eq 0" "phase:5,t:none,nolog,pass,id:'981221',setvar:global.charset_not_utf8=0"
SecRule GLOBAL:CHARSET_NOT_UTF8 "@le 10" "chain,phase:5,t:none,pass,id:'981222',log,msg:'[Watcher Check]  The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8'"
        SecRule RESPONSE_STATUS "@rx ^2" "chain"
                SecRule RESPONSE_CONTENT_TYPE "(?i:(^text/html|^application/xml|^text/xml))" "chain"
                        SecRule RESPONSE_CONTENT_TYPE "!@contains charset=utf-8" "chain,t:none,t:lowercase"
                                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
                                        SecRule RESPONSE_BODY "!@rx (<meta.*?(content|value)=\"text/html;\s?charset=utf-8|<\?xml.*?encoding=\"utf-8\")" "t:none,t:lowercase,setvar:global.charset_not_utf8=+1,expirevar:global.charset_not_utf8=86400"

#
# [ Detect charset mismatches between HTTP header and HTML/XML bodies ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch
# - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
#
SecRule &GLOBAL:CHARSET_MISMATCH "@eq 0" "phase:5,t:none,nolog,pass,id:'981223',setvar:global.charset_mismatch=0"
SecRule GLOBAL:CHARSET_MISMATCH "@le 10" "chain,phase:5,t:none,pass,id:'981224',log,msg:'[Watcher Check] The charset specified was not the same in the HTTP Content-Type header and in the HTML content\'s meta tag',logdata:'Content-Type Response Header Charset is: %{tx.charset_header} and HTTP Equiv Charset is: %{tx.charset_body}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch'"
        SecRule RESPONSE_STATUS "@rx ^2" "chain"
                SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);\s?charset=([^;]*))" "chain,t:none,t:lowercase,capture,setvar:tx.charset_header=%{tx.2}"
			SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
                        	SecRule RESPONSE_BODY "(?i)(charset|encoding)=\"?(.*?)\"" "chain,t:none,t:lowercase,capture,setvar:tx.charset_body=%{tx.2}"
                                        SecRule TX:CHARSET_HEADER "!@streq %{tx.charset_body}" "t:none,setvar:global.charset_mismatch=+1,expirevar:global.charset_mismatch=86400"


##############################################################################
# -=[ Cookie Checks ]=-
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies
##############################################################################

#
# [ Look for cookies with loosely scoped domain restrictions ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain
# - http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
#
SecRule &GLOBAL:LOOSE_DOMAIN_SCOPE "@eq 0" "phase:5,t:none,nolog,pass,id:'981237',setvar:global.loose_domain_scope=0"
SecRule GLOBAL:LOOSE_DOMAIN_SCOPE "@le 10" "chain,phase:5,id:'981238',t:none,pass,log,auditlog,msg:'AppDefect: Loose Domain Cookie Flag Restrictions.',logdata:'Cookie: %{tx.1} and Domain: %{tx.2}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain'"
        SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!@rx (?i)domain=(?:(?!\d|-)[a-zA-Z0-9\-]{1,63}(?<!-)\.)([a-zA-Z0-9\-]{1,63}(?<!-)\.)(?:[a-zA-Z]{2,})" "chain,setvar:tx.set-cookie-counter=+1,setvar:tx.%{matched_var_name}_%{tx.set-cookie-counter}=%{matched_var}"
		SecRule TX:/^RESPONSE_HEADERS:Set-Cookie2?_/ "(?i)^(.*?);.*domain=(.*?);" "capture,setvar:global.loose_domain_scope=+1,expirevar:global.loose_domain_scope=86400" 


# 
# [ Cookie's HttpOnly Flag Was Not Set ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag 
# - https://www.owasp.org/index.php/HttpOnly
# 
SecRule &GLOBAL:MISSING_HTTPONLY "@eq 0" "phase:5,t:none,nolog,pass,id:'981235',setvar:global.missing_httponly=0"
SecRule GLOBAL:MISSING_HTTPONLY "@le 10" "chain,phase:5,id:'981184',t:none,pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag'" 
	SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*httponly.*)(.*$)" "capture,setvar:global.missing_httponly=+1,expirevar:global.missing_httponly=86400"

#
# [ Fix Missing "httponly" Flag ]
#
Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly"


#
# [ Cookie's Secure Flag Was Not Set ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag
# - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_.22Secure.22_Cookie_Flag
# 
SecRule &GLOBAL:MISSING_SECURE "@eq 0" "phase:3,t:none,nolog,pass,id:'981236',setvar:global.missing_secure=0"
SecRule GLOBAL:MISSING_SECURE "@le 10" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag'" 
    SecRule SERVER_PORT "@streq 443" "chain,t:none,setenv:secure_site" 
	SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*secure.*)(.*$)" "capture,setvar:global.missing_secure=+1,expirevar:global.missing_secure=86400"

#
# [ Fix Missing "secure" Flag ]
# 
Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site 


##############################################################################
# -=[ HTTP Header Checks ]=-
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#header
##############################################################################

#
# [ Check that the cache-control HTTP header is set to 'no-store' ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store
#
SecRule &GLOBAL:CHECK_CACHE_CONTROL "@eq 0" "phase:5,t:none,nolog,pass,id:'981239',setvar:global.check_cache_control=0"
SecRule GLOBAL:CHECK_CACHE_CONTROL "@le 10" "chain,phase:5,id:'900046',t:none,pass,log,auditlog,msg:'AppDefect: Cache-Control Response Header Missing \'no-store\' flag.',logdata:'Cache-Control: %{response_headers.cache-control}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store'"
	SecRule RESPONSE_HEADERS:Cache-Control "!@contains no-store" "t:none,t:lowercase,setvar:global.check_cache_control=+1,expirevar:global.check_cache_control=86400"


#
# [ Check that a Content-Type header is included in the HTTP response ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing
#
SecRule &GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@eq 0" "phase:5,t:none,nolog,pass,id:'981400',setvar:global.content_type_header_exists=0"
SecRule GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@le 10" "chain,phase:5,id:'981401',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing or Empty.',logdata:'Content-Type: %{response_headers.content-type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing'"
	SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "t:none,setvar:global.content_type_header_exists=+1,expirevar:global.content_type_header_exists=86400"


#
# [ Check that IE's XSS protection filter is not being disabled by the Web-application ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled
#
SecRule &GLOBAL:X_XSS_PROTECTION_DISABLED "@eq 0" "phase:5,t:none,nolog,pass,id:'981402',setvar:global.x_xss_protection_disabled=0"
SecRule GLOBAL:X_XSS_PROTECTION_DISABLED "@le 10" "chain,phase:5,id:'981403',t:none,pass,log,auditlog,msg:'AppDefect: IE8\'s XSS protection Filter is Disabled.',logdata:'X-XSS-Protection: %{response_headers.x-xss-protection}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled'"
        SecRule RESPONSE_HEADERS:X-XSS-Protection "@streq 0" "t:none,setvar:global.x_xss_protection_disabled=+1,expirevar:global.x_xss_protection_disabled=86400"


#
# [ Check that the X-FRAME-OPTIONS header is being set for Clickjacking defense ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options
#
SecRule &GLOBAL:X_FRAME_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981404',setvar:global.x_frame_options=0"
SecRule GLOBAL:X_FRAME_OPTIONS "@le 10" "chain,phase:5,id:'981405',t:none,pass,log,auditlog,msg:'AppDefect: X-FRAME-OPTIONS Response Header is Missing or not set to Deny.',logdata:'X-FRAME-OPTIONS: %{response_headers.x-frame-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options'"
        SecRule &RESPONSE_HEADERS:X-FRAME-OPTIONS|RESPONSE_HEADERS:X-FRAME-OPTIONS "^(?i:0|allow)$" "t:none,setvar:global.x_frame_options=+1,expirevar:global.x_frame_options=86400"


#
# [ Checks that the X-CONTENT-TYPE-OPTIONS defense against MIME-sniffing has been declared ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options
#
SecRule &GLOBAL:X_CONTENT_TYPE_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981406',setvar:global.x_content_type_options=0"
SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "chain,phase:5,id:'981407',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to \'nosniff\'.',logdata:'X-Content-Type-Options: %{response_headers.x-content-type-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options'"
        SecRule GLOBAL:X_CONTENT_TYPE_OPTIONS "@le 10" "chain"
		SecRule &RESPONSE_HEADERS:X-Content-Type-Options|RESPONSE_HEADERS:X-Content-Type-Options "^0$|^[a-z]+(?<!:nosniff)" "t:none,t:lowercase,setvar:global.x_content_type_options=+1,expirevar:global.x_content_type_options=86400"



# XSS Detection - Missing Output Encoding
#
SecAction "phase:1,id:'900047',nolog,pass,initcol:global=xss_list"

#
# Identifies Reflected XSS
# If malicious input (with Meta-Characters) is echoed back in the reply non-encoded.
#
SecRule &ARGS "@gt 0" "chain,phase:4,id:'900048',t:none,log,auditlog,deny,status:403,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'"
        SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none"
                SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}"
                        SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E"

#
# Check to see if TX XSS Data is already in the GLOBAL list.  If it is - expire it.
SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1"
SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}"

#
# Identifies Stored XSS
# If malicious input (with Meta-Characters) is echoed back on any page non-encoded.
SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"