gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c8a5e1c19a
secubox-openwrt/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
CyberMind-FR a0825c73c1 feat(waf): Add honeypot detection categories and fix JSON escapes 
- Fix invalid \x00 JSON escapes to valid \u0000 Unicode escapes
- Add 4 new WAF rule categories:
  - waf_fingerprint (12 rules): WAF bypass/fingerprinting detection
  - honeypot (16 rules): Decoy file and admin panel probes
  - recon_crawler (10 rules): Reconnaissance file enumeration
  - credential_harvest (8 rules): Password/token exposure detection
- Total: 17 categories, 150 rules
- UI: Inline stats header layout for WAF Filters page

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-16 09:52:43 +01:00

300 lines
19 KiB
JSON
Raw Blame History

{
"_meta": {
"version": "1.2.0",
"updated": "2026-02-24",
"sources": ["OWASP Top 10", "CERT advisories", "CVE database", "VoIP Security Research", "XMPP Standards Foundation", "CrowdSec Threat Intel"]
},
"categories": {
"sqli": {
"name": "SQL Injection",
"severity": "critical",
"enabled": true,
"owasp": "A03:2021",
"patterns": [
{"id": "sqli-001", "pattern": "union\\s+(all\\s+)?select", "desc": "UNION-based injection"},
{"id": "sqli-002", "pattern": "['\"]\\s*(or|and)\\s*['\"]?\\d", "desc": "Boolean-based injection"},
{"id": "sqli-003", "pattern": "(sleep|benchmark|waitfor|pg_sleep)\\s*\\(", "desc": "Time-based blind injection"},
{"id": "sqli-004", "pattern": "information_schema\\.", "desc": "Schema enumeration"},
{"id": "sqli-005", "pattern": "(load_file|into\\s+outfile|into\\s+dumpfile)", "desc": "File operations"},
{"id": "sqli-006", "pattern": "group\\s+by.+having", "desc": "HAVING clause injection"},
{"id": "sqli-007", "pattern": "order\\s+by\\s+\\d+(,\\d+)*--", "desc": "ORDER BY injection"}
]
},
"xss": {
"name": "Cross-Site Scripting",
"severity": "high",
"enabled": true,
"owasp": "A03:2021",
"patterns": [
{"id": "xss-001", "pattern": "<script[^>]*>", "desc": "Script tag injection"},
{"id": "xss-002", "pattern": "javascript\\s*:", "desc": "JavaScript protocol"},
{"id": "xss-003", "pattern": "on(error|load|click|mouse|focus|blur)\\s*=", "desc": "Event handler injection"},
{"id": "xss-004", "pattern": "<iframe[^>]*>", "desc": "Iframe injection"},
{"id": "xss-005", "pattern": "<svg[^>]*onload", "desc": "SVG-based XSS"},
{"id": "xss-006", "pattern": "expression\\s*\\(", "desc": "CSS expression injection"}
]
},
"lfi": {
"name": "Local File Inclusion",
"severity": "critical",
"enabled": true,
"owasp": "A01:2021",
"patterns": [
{"id": "lfi-001", "pattern": "\\.\\./", "desc": "Directory traversal"},
{"id": "lfi-002", "pattern": "/etc/(passwd|shadow|hosts)", "desc": "System file access"},
{"id": "lfi-003", "pattern": "/proc/(self|version|cmdline)", "desc": "Proc filesystem access"},
{"id": "lfi-004", "pattern": "php://filter", "desc": "PHP filter wrapper"},
{"id": "lfi-005", "pattern": "file://", "desc": "File protocol"},
{"id": "lfi-006", "pattern": "expect://", "desc": "Expect wrapper RCE"}
]
},
"rce": {
"name": "Remote Code Execution",
"severity": "critical",
"enabled": true,
"owasp": "A03:2021",
"patterns": [
{"id": "rce-001", "pattern": ";\\s*(cat|ls|id|whoami|uname|pwd)", "desc": "Command chaining"},
{"id": "rce-002", "pattern": "\\|\\s*(cat|ls|id|whoami|bash|sh)", "desc": "Pipe injection"},
{"id": "rce-003", "pattern": "\\$\\((cat|ls|id|whoami)", "desc": "Command substitution"},
{"id": "rce-004", "pattern": "`(cat|ls|id|whoami|curl|wget)`", "desc": "Backtick execution"},
{"id": "rce-005", "pattern": "(curl|wget)\\s+.+\\s*\\|\\s*(bash|sh)", "desc": "Remote script execution"},
{"id": "rce-006", "pattern": "\\{\\{.*\\}\\}", "desc": "Template injection (SSTI)"}
]
},
"cve_2024": {
"name": "CVE 2024-2025 Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-2024-3400", "pattern": "/api/v\\d/totp/user-backup", "desc": "PAN-OS GlobalProtect RCE", "cve": "CVE-2024-3400"},
{"id": "cve-2024-21887", "pattern": "/api/v1/totp/user-backup", "desc": "Ivanti Connect Secure", "cve": "CVE-2024-21887"},
{"id": "cve-2023-46747", "pattern": "/mgmt/tm/util/bash", "desc": "F5 BIG-IP RCE", "cve": "CVE-2023-46747"},
{"id": "cve-2023-22515", "pattern": "/setup/setupadministrator.action", "desc": "Confluence RCE", "cve": "CVE-2023-22515"},
{"id": "cve-2024-1709", "pattern": "/SetupWizard\\.aspx", "desc": "ConnectWise ScreenConnect", "cve": "CVE-2024-1709"},
{"id": "cve-2024-27198", "pattern": "/app/rest/users/id:\\d+/tokens", "desc": "TeamCity auth bypass", "cve": "CVE-2024-27198"}
]
},
"scanners": {
"name": "Vulnerability Scanners",
"severity": "medium",
"enabled": true,
"patterns": [
{"id": "scan-001", "pattern": "(nikto|nmap|sqlmap|burp|zap|acunetix)", "desc": "Scanner user-agent", "check": "user-agent"},
{"id": "scan-002", "pattern": "/\\.git/config", "desc": "Git config probe"},
{"id": "scan-003", "pattern": "/\\.env", "desc": "Environment file probe"},
{"id": "scan-004", "pattern": "/(wp-login|xmlrpc)\\.php", "desc": "WordPress probe"},
{"id": "scan-005", "pattern": "/actuator/(health|info|env)", "desc": "Spring Boot actuator"},
{"id": "scan-006", "pattern": "/debug/pprof", "desc": "Go pprof debug"}
]
},
"webmail": {
"name": "Webmail Specific",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "mail-001", "pattern": "\\.\\./(config|db|data)", "desc": "Roundcube path traversal"},
{"id": "mail-002", "pattern": "_action=(upload|import).*\\.(php|phtml)", "desc": "Malicious upload"},
{"id": "mail-003", "pattern": "_uid=.*['\"><>]", "desc": "XSS in mail UID"},
{"id": "mail-004", "pattern": "installer/", "desc": "Installer access attempt"},
{"id": "mail-005", "pattern": "(temp|logs)/.*\\.(php|sh|pl)", "desc": "Script in temp/logs"}
]
},
"api_abuse": {
"name": "API Abuse",
"severity": "medium",
"enabled": true,
"patterns": [
{"id": "api-001", "pattern": "/api/.*/admin", "desc": "Admin API access"},
{"id": "api-002", "pattern": "graphql.*(__schema|introspection)", "desc": "GraphQL introspection"},
{"id": "api-003", "pattern": "\\{.*\\$where.*\\}", "desc": "NoSQL injection"},
{"id": "api-004", "pattern": "jwt=.*\\.\\.\\.\\.", "desc": "JWT manipulation"}
]
},
"voip": {
"name": "VoIP/SIP Security",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "voip-001", "pattern": "SIP/2\\.0.*\\r\\n.*Via:.*\\r\\n.*<sip:[^>]*;[^>]*exec", "desc": "SIP header injection", "check": "body"},
{"id": "voip-002", "pattern": "INVITE sip:.*\\$\\(|`|;", "desc": "SIP INVITE command injection"},
{"id": "voip-003", "pattern": "/ari/(channels|bridges|endpoints|recordings)/.*(\\||;|`|\\$\\()", "desc": "Asterisk ARI command injection"},
{"id": "voip-004", "pattern": "/admin/config\\.php.*(system|exec|passthru|shell_exec)", "desc": "FreePBX RCE attempt", "cve": "CVE-2019-19006"},
{"id": "voip-005", "pattern": "/recordings/misc/audio\\.php.*file=\\.\\./", "desc": "FreePBX path traversal", "cve": "CVE-2019-19006"},
{"id": "voip-006", "pattern": "Action:\\s*(originate|redirect).*Channel:.*Local/.*@", "desc": "AMI command injection via Channel"},
{"id": "voip-007", "pattern": "/cgi-bin/asterisk\\.cgi.*\\|", "desc": "Asterisk CGI injection"},
{"id": "voip-008", "pattern": "Content-Type:.*multipart.*boundary.*\\.\\./", "desc": "SIP multipart traversal"},
{"id": "voip-009", "pattern": "Digest.*uri=\".*\\.\\./", "desc": "SIP Digest auth traversal"},
{"id": "voip-010", "pattern": "SIP.*realm=\".*[<>'\"]", "desc": "SIP realm injection"},
{"id": "voip-011", "pattern": "/asterisk/rawman\\?action=", "desc": "Unauth AMI web access"},
{"id": "voip-012", "pattern": "Record-Route:.*<sip:[^>]*\\$\\{", "desc": "SIP header expression injection"}
]
},
"xmpp": {
"name": "XMPP/Jabber Security",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "xmpp-001", "pattern": "<message.*<script", "desc": "XSS in XMPP message"},
{"id": "xmpp-002", "pattern": "<iq.*type=[\"']set[\"'].*<query.*xmlns=[\"']jabber:iq:register", "desc": "Open registration abuse"},
{"id": "xmpp-003", "pattern": "/http-bind.*<body.*sid=[\"'].*[<>'\"]", "desc": "BOSH session hijack"},
{"id": "xmpp-004", "pattern": "xmlns:xi=[\"']http://www.w3.org/2001/XInclude", "desc": "XXE via XInclude"},
{"id": "xmpp-005", "pattern": "<!ENTITY.*SYSTEM.*file://", "desc": "XXE in XMPP stream"},
{"id": "xmpp-006", "pattern": "/xmpp-websocket.*<stream:stream.*xmlns:.*=.*javascript:", "desc": "WebSocket XSS"},
{"id": "xmpp-007", "pattern": "<presence.*<show>.*<script", "desc": "XSS in presence"},
{"id": "xmpp-008", "pattern": "/upload.*filename=[\"'].*(php|phtml|jsp|asp)", "desc": "HTTP upload abuse"},
{"id": "xmpp-009", "pattern": "<x.*xmlns=[\"']jabber:x:oob[\"'].*<url>.*file://", "desc": "OOB file access"},
{"id": "xmpp-010", "pattern": "to=[\"'][^\"']*(@|%)00", "desc": "Null byte in JID"}
]
},
"cve_voip": {
"name": "VoIP CVE Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-ast-2021-26906", "pattern": "/asterisk.*res_pjsip.*malformed.*sdp", "desc": "Asterisk PJSIP crash", "cve": "CVE-2021-26906"},
{"id": "cve-ast-2022-42705", "pattern": "Content-Length:\\s*-", "desc": "Asterisk negative CL DoS", "cve": "CVE-2022-42705"},
{"id": "cve-ast-2022-42706", "pattern": "Via:.*branch=z9hG4bK.*\\u0000", "desc": "Asterisk Via header overflow", "cve": "CVE-2022-42706"},
{"id": "cve-ast-2023-37457", "pattern": "Route:.*<sip:.*;lr>\\s*,\\s*<sip:.*;lr>.*\\u0000", "desc": "Asterisk Route header crash", "cve": "CVE-2023-37457"},
{"id": "cve-ast-2023-49294", "pattern": "INVITE.*m=audio.*a=rtpmap:\\d+.*\\s{1000,}", "desc": "Asterisk SDP buffer overflow", "cve": "CVE-2023-49294"},
{"id": "cve-ast-2024-35190", "pattern": "CSeq:.*[A-Z]{50,}", "desc": "Asterisk CSeq method overflow", "cve": "CVE-2024-35190"},
{"id": "cve-fpbx-2023-26566", "pattern": "/admin/ajax\\.php.*command=.*`", "desc": "FreePBX command injection", "cve": "CVE-2023-26566"},
{"id": "cve-kamailio-2020-27507", "pattern": "Via:.*received=.*\\[\\d{1000,}", "desc": "Kamailio overflow", "cve": "CVE-2020-27507"},
{"id": "cve-opensips-2023-49323", "pattern": "Contact:.*<sip:.*>;\\+sip\\.instance=.*\\u0000", "desc": "OpenSIPS crash", "cve": "CVE-2023-49323"}
]
},
"cve_xmpp": {
"name": "XMPP CVE Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-prosody-2021-37601", "pattern": "xmlns=[\"'].*[\"']\\s*xmlns=[\"']", "desc": "Prosody namespace confusion", "cve": "CVE-2021-37601"},
{"id": "cve-prosody-2022-0217", "pattern": "<stream:stream.*version=[\"'].*\\u0000", "desc": "Prosody stream DoS", "cve": "CVE-2022-0217"},
{"id": "cve-prosody-2024-25274", "pattern": "/http-upload.*Content-Length:\\s*\\d{10,}", "desc": "Prosody upload DoS", "cve": "CVE-2024-25274"},
{"id": "cve-ejabberd-2023-29529", "pattern": "<iq.*type=[\"']get[\"'].*<query.*xmlns=[\"']http://jabber.org/protocol/disco", "desc": "ejabberd disco info leak", "cve": "CVE-2023-29529"},
{"id": "cve-conversejs-2020-25017", "pattern": "converse\\.js.*message.*<img.*onerror", "desc": "Converse.js XSS", "cve": "CVE-2020-25017"},
{"id": "cve-strophe-2022-29168", "pattern": "Strophe\\.js.*<body.*xmlns=.*\\u0000", "desc": "Strophe.js parsing crash", "cve": "CVE-2022-29168"},
{"id": "cve-xmpp-2021-21351", "pattern": "XMPPframework.*<iq.*<enable.*xmlns=[\"'].*push", "desc": "XMPP push auth bypass"},
{"id": "cve-tigase-2023-39350", "pattern": "/rest/adhoc/.*sess-man.*user-add", "desc": "Tigase unauth user creation", "cve": "CVE-2023-39350"}
]
},
"router_botnet": {
"name": "Router/IoT Botnet Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-2025-14528", "pattern": "/getcfg\\.php.*AUTHORIZED_GROUP", "desc": "D-Link getcfg.php credential leak", "cve": "CVE-2025-14528"},
{"id": "cve-2025-14528-srv", "pattern": "/getcfg\\.php.*SERVICES=DEVICE\\.ACCOUNT", "desc": "D-Link DEVICE.ACCOUNT enumeration", "cve": "CVE-2025-14528"},
{"id": "cve-2025-14528-nl", "pattern": "/getcfg\\.php.*(%0a|%0d|\\n|\\r)", "desc": "D-Link getcfg newline injection", "cve": "CVE-2025-14528"},
{"id": "dlink-getcfg", "pattern": "/getcfg\\.php\\?", "desc": "D-Link getcfg.php probe (botnet recon)"},
{"id": "dlink-hedwig", "pattern": "/hedwig\\.cgi", "desc": "D-Link Hedwig command injection"},
{"id": "dlink-hnap", "pattern": "/HNAP1/", "desc": "D-Link HNAP protocol abuse"},
{"id": "dlink-service", "pattern": "/service\\.cgi.*(exec|system|passthru)", "desc": "D-Link service.cgi RCE"},
{"id": "router-upnp-soap", "pattern": "/(upnp|UPnP)/.*<SOAP-ENV", "desc": "UPnP SOAP injection"},
{"id": "router-setup-cgi", "pattern": "/setup\\.cgi.*next_file=", "desc": "Router setup.cgi traversal"},
{"id": "router-goform", "pattern": "/goform/.*\\$\\(|`|;", "desc": "Router goform command injection"},
{"id": "router-cgi-bin", "pattern": "/cgi-bin/(firmwareupgrade|upgrade|syscmd|syslog)", "desc": "Router sensitive CGI access"},
{"id": "router-admin-pw", "pattern": "/userRpm/.*admin.*password", "desc": "Router admin password access"},
{"id": "tplink-cgi", "pattern": "/cgi-bin/luci.*;.*admin", "desc": "TP-Link LuCI injection"},
{"id": "netgear-cgi", "pattern": "/cgi-bin/.*setup\\.cgi.*syscmd", "desc": "Netgear setup.cgi command exec"},
{"id": "asus-infosvr", "pattern": "/(infosvr|apply\\.cgi).*action_mode", "desc": "ASUS router command exec"},
{"id": "mirai-scan", "pattern": "User-Agent:.*(Mirai|Hajime|Mozi|BotenaGo)", "desc": "Mirai-variant botnet scanner", "check": "user-agent"},
{"id": "router-telnet-enable", "pattern": "/(syscmd|system_cmd).*telnetd", "desc": "Router telnet enable attempt"},
{"id": "router-wget-inject", "pattern": "/(setup|apply|cmd).*wget.*\\|", "desc": "Router wget payload injection"},
{"id": "zyxel-zhttpd", "pattern": "/cgi-bin/zhttpd/.*shell", "desc": "Zyxel zhttpd shell injection"}
]
},
"waf_fingerprint": {
"name": "WAF Fingerprinting",
"severity": "medium",
"enabled": true,
"patterns": [
{"id": "waf-fp-001", "pattern": "<%25", "desc": "ASP tag bypass attempt"},
{"id": "waf-fp-002", "pattern": "%00.*\\.php", "desc": "Null byte file extension bypass"},
{"id": "waf-fp-003", "pattern": "\\x00|%00|\\\\x00", "desc": "Null byte injection probe"},
{"id": "waf-fp-004", "pattern": "(s|S)(e|E)(l|L)(e|E)(c|C)(t|T)", "desc": "Case alternation bypass"},
{"id": "waf-fp-005", "pattern": "/\\*.*\\*/", "desc": "SQL comment bypass probe"},
{"id": "waf-fp-006", "pattern": "uni%6fn|%73elect|%27%6fr", "desc": "URL encoding bypass"},
{"id": "waf-fp-007", "pattern": "u\\+006e\\+0069\\+006f\\+006e", "desc": "Unicode encoding bypass"},
{"id": "waf-fp-008", "pattern": "sELeCt|UniOn|ScRiPt", "desc": "Mixed case WAF bypass"},
{"id": "waf-fp-009", "pattern": "concat_ws|char\\(|conv\\(", "desc": "SQL function obfuscation"},
{"id": "waf-fp-010", "pattern": "\\|\\|\\s*'", "desc": "Oracle concatenation bypass"},
{"id": "waf-fp-011", "pattern": "%bf%27|%ef%bb%bf", "desc": "UTF-8 BOM/overlong bypass"},
{"id": "waf-fp-012", "pattern": "wafw00f|whatwaf|waffit|wafdetect", "desc": "WAF detection tool user-agent", "check": "user-agent"}
]
},
"honeypot": {
"name": "Honeypot Traps",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "honey-001", "pattern": "/admin\\.bak", "desc": "Fake admin backup probe"},
{"id": "honey-002", "pattern": "/backup\\.sql", "desc": "Fake SQL backup probe"},
{"id": "honey-003", "pattern": "/wp-config\\.bak", "desc": "Fake WP config backup"},
{"id": "honey-004", "pattern": "/\\.secret", "desc": "Hidden secret file probe"},
{"id": "honey-005", "pattern": "/passwords?\\.txt", "desc": "Password file probe"},
{"id": "honey-006", "pattern": "/debug\\.log", "desc": "Debug log file probe"},
{"id": "honey-007", "pattern": "/phpinfo\\.php", "desc": "PHP info probe"},
{"id": "honey-008", "pattern": "/adminer\\.php", "desc": "Adminer DB probe"},
{"id": "honey-009", "pattern": "/phpmyadmin/setup\\.php", "desc": "phpMyAdmin setup probe"},
{"id": "honey-010", "pattern": "/wp-admin/install\\.php", "desc": "WordPress installer probe"},
{"id": "honey-011", "pattern": "/\\.aws/credentials", "desc": "AWS credentials probe"},
{"id": "honey-012", "pattern": "/config\\.php\\.bak", "desc": "Config backup probe"},
{"id": "honey-013", "pattern": "/server-status", "desc": "Apache status probe"},
{"id": "honey-014", "pattern": "/elmah\\.axd", "desc": ".NET error handler probe"},
{"id": "honey-015", "pattern": "/jmx-console", "desc": "JBoss JMX console probe"},
{"id": "honey-016", "pattern": "/manager/html", "desc": "Tomcat manager probe"}
]
},
"recon_crawler": {
"name": "Reconnaissance Crawlers",
"severity": "low",
"enabled": true,
"patterns": [
{"id": "recon-001", "pattern": "/robots\\.txt", "desc": "Robots.txt enumeration"},
{"id": "recon-002", "pattern": "/sitemap\\.xml", "desc": "Sitemap enumeration"},
{"id": "recon-003", "pattern": "/crossdomain\\.xml", "desc": "Flash crossdomain probe"},
{"id": "recon-004", "pattern": "/security\\.txt", "desc": "Security.txt enumeration"},
{"id": "recon-005", "pattern": "/\\.well-known/", "desc": "Well-known directory scan"},
{"id": "recon-006", "pattern": "/favicon\\.ico", "desc": "Favicon fingerprint", "check": "hash"},
{"id": "recon-007", "pattern": "/(readme|changelog|license)\\.(txt|md|html)", "desc": "Version disclosure files"},
{"id": "recon-008", "pattern": "/humans\\.txt", "desc": "Humans.txt enumeration"},
{"id": "recon-009", "pattern": "/\\.svn/entries", "desc": "SVN metadata probe"},
{"id": "recon-010", "pattern": "/\\.hg/", "desc": "Mercurial metadata probe"}
]
},
"credential_harvest": {
"name": "Credential Harvesting",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cred-001", "pattern": "/api/(login|auth).*password=", "desc": "Password in URL"},
{"id": "cred-002", "pattern": "Authorization:\\s*Basic\\s+[A-Za-z0-9+/=]{10,}", "desc": "Basic auth interception"},
{"id": "cred-003", "pattern": "(api_?key|apikey|access_?token)=[A-Za-z0-9]{16,}", "desc": "API key in URL"},
{"id": "cred-004", "pattern": "\\?.*token=[A-Za-z0-9._-]{20,}", "desc": "JWT/token in URL"},
{"id": "cred-005", "pattern": "/oauth/.*client_secret=", "desc": "OAuth secret in URL"},
{"id": "cred-006", "pattern": "X-API-Key:\\s*[A-Za-z0-9]{20,}", "desc": "API key header"},
{"id": "cred-007", "pattern": "/(config|settings).*password", "desc": "Config password probe"},
{"id": "cred-008", "pattern": "/export.*(user|account|customer)", "desc": "User data export attempt"}
]
}
}
}
Reference in New Issue View Git Blame Copy Permalink