Pattern cleanup across several rules (#1643)

* Drop unneeded non-capture groups

* No need to escape "-" outside character classes

And only if it is not at the end.

* Improve rule 941350

Previously, this rule will also match on the equivalent to "<..<".
Rewrite it so it is only triggered by the equivalent to "<..>",
simplifying the pattern quite a bit as a bonus.

While here add a link describing the bypass for future reference.

* Fix test

Was using the equivalent to "<...<" instead of "<...>".

Author: fgsch

rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

@@ -89,7 +89,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
 #
 
 # Gutenberg
-SecRule REQUEST_FILENAME "@rx ^/wp\-json/wp/v[0-9]+/(?:posts|pages)" \
+SecRule REQUEST_FILENAME "@rx ^/wp-json/wp/v[0-9]+/(?:posts|pages)" \
     "id:9002140,\
     phase:1,\
     pass,\

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -266,7 +266,7 @@ SecRule REQUEST_METHOD "@rx ^POST$" \
 # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 # http://seclists.org/fulldisclosure/2011/Aug/175
 #
-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)\-(\d+)\," \
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)\," \
     "id:920190,\
     phase:2,\
     block,\
@@ -1135,7 +1135,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAf
 # https://httpd.apache.org/security/CVE-2011-3192.txt
 
 
-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
     "id:920200,\
     phase:2,\
     block,\
@@ -1176,7 +1176,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     ver:'OWASP_CRS/3.2.0',\
     severity:'WARNING',\
     chain"
-    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){63}" \
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
         "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
 
@@ -1419,7 +1419,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     ver:'OWASP_CRS/3.2.0',\
     severity:'WARNING',\
     chain"
-    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
         "setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}'"
 
 

rules/REQUEST-921-PROTOCOL-ATTACK.conf

@@ -171,7 +171,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
+SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
     "id:921160,\
     phase:1,\
     block,\

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -646,11 +646,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
+# https://nedbatchelder.com/blog/200704/xss_with_utf7.html
 # UTF-7 encoding XSS filter evasion for IE.
 # Reported by Vladimir Ivanov
 #
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \
     "id:941350,\
     phase:2,\
     block,\

rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

@@ -348,7 +348,7 @@ SecRule TX:sql_error_match "@eq 1" \
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
-    SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
+    SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
         "capture,\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\

rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

@@ -106,7 +106,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
     ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
     chain"
-    SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF(?:F|2))" \
+    SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \
         "capture,\
         t:none,\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\

tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml

@@ -15,7 +15,7 @@
             dest_addr: 127.0.0.1
             method: GET
             port: 80
-            uri: /xx?id=%25252bADw-script%25252bADw-
+            uri: /xx?id=%25252bADw-script%25252bAD4-
             headers:
               Accept: "*/*"
               Host: localhost