Core Ruleset: 931xxx

Rules with the 931xxx prefix protect web applications from remote file inclusion attempts that can be made by attackers.

Paranoia Level 1 (default)

Rule: 931100

Protects web applications from directory traversal attacks. This will inspect request args, headers and files to ensure that no directory traversal attempts are made by the client.

Message: Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address

Example:

curl --request GET \
  --url 'http://localhost:8088/?q=https%3A%2F%2F1.1.1.1%2Findex.php'

Rule: 931110

Prevents the use of include statements in a request payload.

Message: Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload

Example:

curl --request GET \
  --url 'http://localhost:8088/?q=include(%22ftp%3A%2F%2F1.1.1.1%2Ftest.php%22)'

Rule: 931120

Restricts the use of file protocols with a dangling question mark. This can be used by an attacker to trick a web server into including a file from a remote location.

Message: Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)

Example:

curl --request GET \
  --url 'http://localhost:8088/?q=https%3A%2F%2Fattacker.net%2Ftest.php%3F'

Paranoia Level 2

Rule: 93113 0

Some application packages will implicitly interpret url:file:// as a local address and include them without checking existence locally.

Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

Example:

curl --request GET \
  --url 'http://localhost:8088/?q=uri%3Ahttps%3A%2F%2Fattacker.net%2Ffile.jar'

Paranoia Level 3

This module does not define checks for paranoia level 3.

Paranoia Level 4

This module does not define checks for paranoia level 4.