ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / regex-assembly

##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Bypasses and techniques here come from:
##! - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
##! - https://github.com/cujanovic/SSRF-Testing

##!+ i

##! add capture group
##!^ (
##!$ )

##! This regex starts with a list of all the schemes that can be used to make a request
##!> assemble
  ##!> include url-schemes
  ##!=>
  ://
  ##!=>

##! http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100)
  ##! http://2852039166/ Dotless decimal
  ##! http://7147006462/ Dotless decimal with overflow
  \d{10}

##! http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal
  (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2}

##! http://0xA9FEA9FE/ Dotless hexadecimal
  0x[a-f0-9]{8}

##! http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow
  0x[a-f0-9]{16}

##! http://0251.0376.0251.0376/ Dotted octal
  ##! http://0251.00376.000251.0000376/ Dotted octal with padding
  (?:0{1,4}\d{1,3}\.){3}0{1,4}\d{1,3}

##! http://169.254.43518/
  \d{1,3}\.\d{1,3}\.\d{5}

##! http://169.16689662/
  \d{1,3}\.\d{8}

##! glibc Name Service Switch abuse
  ##! http://\\l\\o\\c\\a\\l\\h\\o\\s\\t (while underscore is not valid RFC syntax, it is allowed and might be used)
  (?:\x5c\x5c[a-z\d-]\.?_?)+

##! http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 (base regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below))
  ##! http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded
  ##! http://[fe80::%zone1] link-local unicast with zone ID
  ##! http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4
  ##! http://[::] the unspecified address

##! Something that looks like IPv6 in a URL.
  ##! Matches full and compressed IPv6, link-local IPv6 with
  ##! zone ID, and embedded IPv4.
  ##! We could match the IPv6 specification here but that would
  ##! decrease performance of the regular expression and would
  ##! actually increase the possibility for bypasses.
  \[[a-f\d:]+(?:[\d.]+|%\w+)?\]

##! These come from https://github.com/cujanovic/SSRF-Testing
  ##! These bypasses work by confusing URL parsers in different languages (e.g., PHP, Python, Ruby, Perl)
  ##! and libraries (e.g. cURL). The bypasses are parser specific but will often be combined to break
  ##! multiple parsers with one try. The goal is often to get the application to call another library
  ##! with the malicious URL, e.g. libcurl or glibc (name resolution via gethostbyname(), see also
  ##! Name Service Switch abuse above).

##! http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100)

##! http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100)

##! http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100)

##! http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100)

##! http://google.com:80+&@127.88.23.245:22/#+@google.com:80/
  ##! http://google.com:80+&@google.com:80#+@127.88.23.245:22/

##! create ip-or-domain for later use
  ##!> assemble
    (?:\d{1,3}\.){3,3}\d{1,3}
    [a-z][\w\-\.]{1,255}
    ##!=>
    :\d{1,5}
    ##!=< ip-or-domain
  ##!<

##!> assemble
    ##! domain + port
    [a-z][\w\-\.]{1,255}:\d{1,5}
    ##!=>

##! at least one of the evasion techniques
    ##!> assemble
      ##! technique 1
      ##!> assemble
        ##! possible white spaces to fool safety checks in URL parsers
        \s*
        ##!=>

##! &@ to confuse URL parsers (& can indicate query parameter, @ indicates user info)
        &?@
        ##!=>

##! IPv4 + port or domain + port
        ##!=> ip-or-domain

##! optional forward slash
        \/?
        ##!=>
      ##!<

##! technique 2
      ##!> assemble
        ##! fragment to confuse URL parsers
        #
        ##!=>

##! possible white spaces to fool safety checks in URL parsers
        \s*
        ##!=>

##! &@ to confuse URL parsers (& can indicate query parameter, @ indicates user info)
        &?@
        ##!=>

##! IPv4 + port or domain + port
        ##!=> ip-or-domain

##! optional forward slash
        /?
        ##!=>
      ##!<
    ##!<
    ##!=>
    +
    ##!=>
  ##!<

##! Enclosed alphanumerics are used for evasion (https://en.wikipedia.org/wiki/Enclosed_Alphanumerics).
  ##! See also https://github.com/cujanovic/SSRF-Testing.
  ##! These will normally sound many alarms, but having them flagged as ssrf attempt makes sense

##!> assemble
    ##! ⓪,①,②,③,④,⑤,⑥,⑦,⑧,⑨,⑩,⑪,⑫,⑬,⑭,⑮,⑯,⑰,⑱,⑲,⑳
    \xe2\x91[\xaa\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3]
    ##! ⑴,⑵,⑶,⑷,⑸,⑹,⑺,⑻,⑼,⑽,⑾,⑿
    \xe2\x91[\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf]
    ##! ⒀,⒁,⒂,⒃,⒄,⒅,⒆,⒇
    \xe2\x92[\x80\x81\x82\x83\x84\x85\x86\x87]
    ##! ⒈,⒉,⒊,⒋,⒌,⒍,⒎,⒏,⒐,⒑,⒒,⒓,⒔,⒕,⒖,⒗,⒘,⒙,⒚,⒛
    \xe2\x92[\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]
    ##! ⒜,⒝,⒞,⒟,⒠,⒡,⒢,⒣,⒤,⒥,⒦,⒧,⒨,⒩,⒪,⒫,⒬,⒭,⒮,⒯,⒰,⒱,⒲,⒳,⒴,⒵
    \xe2\x92[\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5]
    ##! Ⓐ,Ⓑ,Ⓒ,Ⓓ,Ⓔ,Ⓕ,Ⓖ,Ⓗ,Ⓘ,Ⓙ
    \xe2\x92[\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf]
    ##! Ⓚ,Ⓛ,Ⓜ,Ⓝ,Ⓞ,Ⓟ,Ⓠ,Ⓡ,Ⓢ,Ⓣ,Ⓤ,Ⓥ,Ⓦ,Ⓧ,Ⓨ,Ⓩ
    \xe2\x93[\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f]
    ##! ⓐ,ⓑ,ⓒ,ⓓ,ⓔ,ⓕ,ⓖ,ⓗ,ⓘ,ⓙ,ⓚ,ⓛ
    \xe2\x93[\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]
    ##! ⓜ,ⓝ,ⓞ,ⓟ,ⓠ,ⓡ,ⓢ,ⓣ,ⓤ,ⓥ,ⓦ,ⓧ,ⓨ,ⓩ
    \xe2\x93[\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9]
    ##! ⓫,⓬,⓭,⓮,⓯,⓰,⓱,⓲,⓳,⓴
    \xe2\x93[\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4]
    ##! ⓿,⓵,⓶,⓷,⓸,⓹,⓺,⓻,⓼,⓽,⓾
    \xe2\x93[\xbf\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe]
    ##! ideographic full stop: 。
    \xe3\x80\x82
    ##!=< enclosed-alnums
  ##!<

##! an IP could start with digits and dots
  ##!> assemble
    [\d.]{0,11}
    ##!=>
    ##!> assemble
      ##!=> enclosed-alnums
    ##!<
    ##!=>
    ##! match all for capture
    +
    ##!=>
  ##!<
##!<

[-] 920220-chain1.ra [edit]
[-] 942370.ra [edit]
[-] 922110-chain1.ra [edit]
[-] 932237.ra [edit]
[-] 942280.ra [edit]
[-] 942470.ra [edit]
[-] 932220.ra [edit]
[-] 933131.ra [edit]
[-] 942200.ra [edit]
[-] 932320.ra [edit]
[-] 942520.ra [edit]
[-] 942290.ra [edit]
[-] 932301.ra [edit]
[-] 932260.ra [edit]
[-] toolchain.yaml [edit]
[-] 931131.ra [edit]
[-] 942500.ra [edit]
[-] 920100.ra [edit]
[-] 941220.ra [edit]
[-] 942480.ra [edit]
[-] 921421.ra [edit]
[-] 932232.ra [edit]
[+] ..
[-] 932175.ra [edit]
[-] 934101.ra [edit]
[-] 942410.ra [edit]
[-] 932236.ra [edit]
[-] 920120.ra [edit]
[-] 933160.ra [edit]
[-] 920260.ra [edit]
[-] 920221.ra [edit]
[-] 942390.ra [edit]
[-] 941390.ra [edit]
[-] 942521.ra [edit]
[-] 934170.ra [edit]
[-] 932205-chain1.ra [edit]
[-] 942190.ra [edit]
[-] 942350.ra [edit]
[-] 942380.ra [edit]
[-] 932140.ra [edit]
[-] 944150.ra [edit]
[-] 951240.ra [edit]
[-] 942180.ra [edit]
[-] 932131.ra [edit]
[-] 932206.ra [edit]
[-] 932235.ra [edit]
[-] 944152.ra [edit]
[-] 932210.ra [edit]
[-] 942550.ra [edit]
[-] 933200.ra [edit]
[-] 920521.ra [edit]
[-] 942362.ra [edit]
[-] 951230.ra [edit]
[-] 932130.ra [edit]
[-] 932321.ra [edit]
[-] 933211.ra [edit]
[-] 932238.ra [edit]
[-] 932200.ra [edit]
[-] 932230.ra [edit]
[-] 934120.ra [edit]
[-] 932205.ra [edit]
[-] 932310.ra [edit]
[-] 933210.ra [edit]
[-] 932311.ra [edit]
[-] 934150.ra [edit]
[-] 942150.ra [edit]
[-] 944151.ra [edit]
[-] 941210.ra [edit]
[-] 942120.ra [edit]
[-] 942240.ra [edit]
[-] 941130.ra [edit]
[-] 942230.ra [edit]
[-] 932239.ra [edit]
[-] 934100.ra [edit]
[-] 942152.ra [edit]
[-] 933161.ra [edit]
[-] 934160.ra [edit]
[-] 942260.ra [edit]
[-] 942400.ra [edit]
[+] include
[-] 942330.ra [edit]
[-] 942140.ra [edit]
[-] 932380.ra [edit]
[-] 941160.ra [edit]
[-] 920600.ra [edit]
[-] 932231.ra [edit]
[-] 942321.ra [edit]
[-] 942360.ra [edit]
[-] 942131.ra [edit]
[-] 942320.ra [edit]
[-] 934140.ra [edit]
[+] exclude
[-] 931130.ra [edit]
[-] 942440.ra [edit]
[-] 942340.ra [edit]
[-] 942310.ra [edit]
[-] 932125.ra [edit]
[-] 932240.ra [edit]
[-] 921422.ra [edit]
[-] 942170.ra [edit]
[-] 932370.ra [edit]
[-] 942440-chain1.ra [edit]
[-] 930100.ra [edit]
[-] 942210.ra [edit]
[-] 942540.ra [edit]
[-] 932300.ra [edit]
[-] 942130.ra [edit]
[-] 942300.ra [edit]
[-] 932250.ra [edit]
[-] 942560.ra [edit]
[-] 942151.ra [edit]