# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# -=[ Watcher Checks ]=-
#
# Charset Checks:
# http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
#
SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:4,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0"
SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:4,t:none,pass,id:'981220',log,msg:'Character Set (Charset) Not Specified for Response Content.',logdata:'%{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Markup_Language'"
        SecRule RESPONSE_STATUS "@rx ^2" "chain"
                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
                        SecRule RESPONSE_BODY "!@rx <meta.*?content=\"text/html; charset=" "chain,t:lowercase"
                                SecRule RESPONSE_CONTENT_TYPE "(?i:^text/html;?$)" "setvar:global.missing_charset=+1,expirevar:global.missing_charset=86400"

SecRule &GLOBAL:CHARSET_NOT_UTF8 "@eq 0" "phase:4,t:none,nolog,pass,id:'981221',setvar:global.charset_not_utf8=0"
SecRule GLOBAL:CHARSET_NOT_UTF8 "@le 10" "chain,phase:4,t:none,pass,id:'981222',log,msg:'Charset not explicitly set to UTF-8 in Content-Type or HTML/XML content',logdata:'Content-Type Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8'"
        SecRule RESPONSE_STATUS "@rx ^2" "chain"
                SecRule RESPONSE_CONTENT_TYPE "(?i:^text/html)" "chain"
                        SecRule RESPONSE_CONTENT_TYPE "!@contains charset=utf-8" "chain,t:none,t:lowercase"
                                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
                                        SecRule RESPONSE_BODY "!@rx <meta.*?content=\"text/html; charset=utf-8" "t:none,t:lowercase,setvar:global.charset_not_utf8=+1,expirevar:global.charset_not_utf8=86400"

SecRule &GLOBAL:CHARSET_MISMATCH "@eq 0" "phase:4,t:none,nolog,pass,id:'981223',setvar:global.charset_mismatch=0"
SecRule GLOBAL:CHARSET_MISMATCH "@le 10" "chain,phase:4,t:none,pass,id:'981224',log,msg:'Detect charset mismatches between HTTP header and HTML/XML bodies',logdata:'Content-Type Response Header Charset is: %{tx.charset_header} and HTTP Equiv Charset is: %{tx.charset_body}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch'"
        SecRule RESPONSE_STATUS "@rx ^2" "chain"
                SecRule RESPONSE_CONTENT_TYPE "(?i:^text/html;\s?charset=(.*))" "chain,t:none,t:lowercase,capture,setvar:tx.charset_header=%{tx.1}"
                        SecRule RESPONSE_BODY "(?i:<meta.*?content=\"text/html; charset=(.*?)\")" "chain,t:none,t:lowercase,capture,setvar:tx.charset_body=%{tx.1}"
                                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
                                        SecRule TX:CHARSET_HEADER "!@streq %{tx.charset_body}" "t:none,setvar:global.charset_mismatch=+1,expirevar:global.charset_mismatch=86400"


#
# XSS Detection - Missing Output Encoding
#
SecAction "phase:1,nolog,pass,initcol:global=xss_list"

#
# Identifies Reflected XSS
# If malicious input (with Meta-Characters) is echoed back in the reply non-encoded.
#
SecRule &ARGS "@gt 0" "chain,phase:4,id:'981179',t:none,log,auditlog,deny,status:403,id:'1',msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'"
 	SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none"
		SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}"
  			SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E"

#
# Check to see if TX XSS Data is already in the GLOBAL list.  If it is - expire it.
SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1"
SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}"
 
#
# Identifies Stored XSS
# If malicious input (with Meta-Characters) is echoed back on any page non-encoded.
SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"

#
# Identifies SessiondIDs without HTTPOnly flag
#

SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,id:'981183',t:none,pass,nolog,setvar:tx.sessionid=%{matched_var}"

SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,id:'981184',t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"

SecRule SERVER_PORT "@streq 443" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag.'"
 SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_cookie=%{matched_var}"

SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "chain,phase:3,id:'981186',t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly and Secure Cookie Flag.'"
 SecRule SERVER_PORT "@streq 443" "chain,t:none"
  SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_httponly_cookie=%{matched_var}"

Header set Set-Cookie "%{httponly_cookie}e; HTTPOnly" env=httponly_cookie
Header set Set-Cookie "%{secure_cookie}e; Secure" env=secure_cookie
Header set Set-Cookie "%{secure_httponly_cookie}e; Secure; HTTPOnly" env=secure_httponly_cookie