%timeout 10
# FILE 20 - protocol violations
%test Invalid HTTP Request Line (960911) - Test 1
#####################################################
%remark
This test has a TAB character before the request method.
%endremark
%status 400|403
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Invalid HTTP Request Line (960911) - Test 2
#####################################################
%remark
This test uses backslashes instead of forward slashes.
%endremark
%status 400|403
%request
GET \\index.html HTTP\1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Invalid HTTP Request Line (960911) - Test 3
#####################################################
%remark
This test has a pipe character before the request method.
%endremark
%status 400|403|501
%output 960911
%request
|GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Attempted multipart/form-data bypass (960000)
#####################################################
%remark
This test attempts form name parsing evasion using '.
%endremark
%output 960000
%request
POST /cgi-bin/fup.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/upload.html
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590
Content-Length: $CONTENT_LENGTH
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name=x';filename="';name=contact.txt;"
Content-Type: text/plain
email: security@modsecurity.org
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="note"
Contact info.
-----------------------------627652292512397580456702590--
%test Failed to parse request body (960912)
#####################################################
%remark
Part missing Content-Disposition header
%endremark
%output 960912
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Contt-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
%test Multipart request body failed strict validation (960914)
#####################################################
%output 960914
%remark
Invalid Quoting
%endremark
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Content-Disposition: form-data; name='name; filename="'; name=payload;"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
%test Multipart parser detected a possible unmatched boundary (960915)
#####################################################
%remark
Unmatched final boundary
%endremark
%output 960915
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915725--
%test Invalid Request Body (960000)
#####################################################
%remark
Invalid Quoting
%endremark
%output 960000
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Content-Disposition: form-data; name="fi;le"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
%test Invalid Request Body/XML (960912)
#####################################################
%remark
Incorrect ending error tag
%endremark
%output 960912
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: text/xml
Content-Length: $CONTENT_LENGTH
http://www.w3.org/2002/03/xkms#Pending
http://www.w3.org/2002/03/xkms#X509Cert
%test Content-Length HTTP header is not numeric (960016)
#####################################################
%remark
When Apache received multiple headers with the same name, it will contat them into one header with commas separating the individual payloads.
%endremark
%status 413|400
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Content-Length: 3
abc
%test Content-Length HTTP header is not numeric (960016)
#####################################################
%remark
Content-Length should only contain digits. This has a semi-colon.
%endremark
%status 413|400
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3;
abc
%test GET or HEAD Request with Body Content (960011)
#####################################################
%remark
This request sends a request body while using a GET request.
%endremark
#%status 400
%output 960011
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: $CONTENT_LENGTH
abc
%test POST request missing Content-Length Header (960012)
#####################################################
%output 960012
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
%test Invalid Use of Identity Encoding (960902)
#####################################################
%output 960902
%event 960902
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Encoding: Identity
%test Expect Header Not Allowed for HTTP 1.0 (960022)
#####################################################
%output 960022
%event 960022
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Expect: 100-continue
%test Pragma Header requires Cache-Control Header for HTTP/1.1 requests (960020)
#####################################################
%output 960020
%event 960020
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Pragma: no-cache
%test Range: field exists and begins with 0 (958291)
#####################################################
%output 958291
%event 958291
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Range: bytes=0-
%test Range: Invalid Last Byte Value (958230)
#####################################################
%output 958230
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
Keep-Alive: 300
Proxy-Connection: keep-alive
Connection: close
%test Range: Too many fields (958231)
#####################################################
%output 958231
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
Keep-Alive: 300
Proxy-Connection: keep-alive
Connection: close
%test Multiple/Conflicting Connection Header Data Found (958295)
#####################################################
%output 958295
%event 958295
%var connection=keep-alive
%var connection=close
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Connection: $connection, $connection
%test URL Encoding Abuse Attack Attempt (950107)
#####################################################
%output 950107
%event 950107
%var encoded_arg=%1G
%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33%
%request
GET /?parm=$encoded_arg HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Multiple URL Encoding Detected (950109)
#####################################################
%output 950109
%event 950109
%var encoded_arg=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34
#%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33%
%request
GET /?parm=$encoded_arg HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test URL Encoding Abuse Attack Attempt (950108)
#####################################################
%output 950108
%event 950108
%var encoded_arg=%1G
%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33%
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: $CONTENT_LENGTH
param=$encoded_arg
%test URL Encoding Abuse Attack Attempt/XML (950108)
#####################################################
%output 950108
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: text/xml
Content-Length: $CONTENT_LENGTH
http://www.w3.org/2002/03/xkms#Pending
%1Gwww.attack.org
%test UTF8 Encoding Abuse Attack Attempt (950801)
#####################################################
%output 950801
%var arg=%c0%af
%var arg=%c0
%var arg=%F5%80%BF%BF
%request
GET /?param=$arg HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Unicode Full/Half Width Abuse Attack Attempt (950116)
#####################################################
%output 950116
%request
GET /?param=foo%uFF01 HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Proxy access attempt (960014)
#####################################################
%output 960014
%request
GET http://www.some_remote_site.com/ HTTP/1.0
Host: www.some_remote_site.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Invalid character in request (960901)
#####################################################
%output 960901
%event 960901
%request
GET /?param=foo%00 HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%endtest