Cloud Armor preconfigured WAF rules overview

Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Each signature corresponds to an attack detection rule in the ruleset. Google offers these rules as is. The rules let Cloud Armor evaluate dozens of distinct traffic signatures by referring to conveniently named rules rather than requiring you to define each signature manually.

Google Cloud Armor preconfigured WAF rules can be tuned to best suit your needs. For more information about how to tune the rules, see Tune Google Cloud Armor preconfigured WAF rules.

The following table contains a comprehensive list of preconfigured WAF rules that are available for use in a Cloud Armor security policy. These rules are based on the OWASP ModSecurity Core Rule Set (CRS), like OWASP Core Rule Set 4.22 . We recommend using version 4.22 for the most up-to-date protection against modern threats. Support for CRS 3.3 and 3.0 is ongoing. But, we recommend avoiding older versions, especially CRS version 3.0, whenever your workloads allow for the 4.22 rules.

CRS 4.22

Cloud Armor rule name OWASP rule name Current status
SQL injection sqli-v422-stable In sync with sqli-v422-canary
sqli-v422-canary Latest
Cross-site scripting xss-v422-stable In sync with xss-v422-canary
xss-v422-canary Latest
Local file inclusion lfi-v422-stable In sync with lfi-v422-canary
lfi-v422-canary Latest
Remote file inclusion rfi-v422-stable In sync with rfi-v422-canary
rfi-v422-canary Latest
Remote code execution rce-v422-stable In sync with rce-v422-canary
rce-v422-canary Latest
Method enforcement methodenforcement-v422-stable In sync with methodenforcement-v422-canary
methodenforcement-v422-canary Latest
Scanner detection scannerdetection-v422-stable In sync with scannerdetection-v422-canary
scannerdetection-v422-canary Latest
Protocol attack protocolattack-v422-stable In sync with protocolattack-v422-canary
protocolattack-v422-canary Latest
PHP injection attack php-v422-stable In sync with php-v422-canary
php-v422-canary Latest
Session fixation attack sessionfixation-v422-stable In sync with sessionfixation-v422-canary
sessionfixation-v422-canary Latest
Java attack java-v422-stable In sync with java-v422-canary
java-v422-canary Latest
Generic attack generic-v422-stable In sync with generic-v422-canary
generic-v422-canary Latest

CRS 3.3

Cloud Armor rule name OWASP rule name Current status
SQL injection sqli-v33-stable In sync with sqli-v33-canary
sqli-v33-canary Latest
Cross-site scripting xss-v33-stable In sync with xss-v33-canary
xss-v33-canary Latest
Local file inclusion lfi-v33-stable In sync with lfi-v33-canary
lfi-v33-canary Latest
Remote file inclusion rfi-v33-stable In sync with rfi-v33-canary
rfi-v33-canary Latest
Remote code execution rce-v33-stable In sync with rce-v33-canary
rce-v33-canary Latest
Method enforcement methodenforcement-v33-stable In sync with methodenforcement-v33-canary
methodenforcement-v33-canary Latest
Scanner detection scannerdetection-v33-stable In sync with scannerdetection-v33-canary
scannerdetection-v33-canary Latest
Protocol attack protocolattack-v33-stable In sync with protocolattack-v33-canary
protocolattack-v33-canary Latest
PHP injection attack php-v33-stable In sync with php-v33-canary
php-v33-canary Latest
Session fixation attack sessionfixation-v33-stable In sync with sessionfixation-v33-canary
sessionfixation-v33-canary Latest
Java attack java-v33-stable In sync with java-v33-canary
java-v33-canary Latest
NodeJS attack nodejs-v33-stable In sync with nodejs-v33-canary
nodejs-v33-canary Latest

CRS 3.0

Cloud Armor rule name OWASP rule name Current status
SQL injection sqli-stable In sync with sqli-canary
sqli-canary Latest
Cross-site scripting xss-stable In sync with xss-canary
xss-canary Latest
Local file inclusion lfi-stable In sync with lfi-canary
lfi-canary Latest
Remote file inclusion rfi-stable In sync with rfi-canary
rfi-canary Latest
Remote code execution rce-stable In sync with rce-canary
rce-canary Latest
Method enforcement methodenforcement-stable In sync with methodenforcement-canary
methodenforcement-canary Latest
Scanner detection scannerdetection-stable In sync with scannerdetection-canary
scannerdetection-canary Latest
Protocol attack protocolattack-stable In sync with protocolattack-canary
protocolattack-canary Latest
PHP injection attack php-stable In sync with php-canary
php-canary Latest
Session fixation attack sessionfixation-stable In sync with sessionfixation-canary
sessionfixation-canary Latest
Java attack Not included
NodeJS attack Not included

In addition, the following cve-canary rules are available to all Cloud Armor customers to help detect and optionally block the following vulnerabilities:

  • CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities
  • 942550-sqli JSON-formatted content vulnerability
  • google-mrs-v202512-id000001-rce and google-mrs-v202512-id000002-rce React RCE vulnerability
Cloud Armor rule name Covered vulnerability types
cve-canary Log4j and React RCE vulnerabilities
json-sqli-canary JSON-based SQL injection bypass vulnerability

Preconfigured OWASP rules

Each preconfigured WAF rule has a sensitivity level that corresponds to a OWASP CRS paranoia level. A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. A higher sensitivity level increases security, but also increases the risk of generating a false positive. By default, Cloud Armor runs at sensitivity level 4 and evaluates all signatures in a rule set once enabled.

SQL injection (SQLi)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the SQLi preconfigured WAF rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id942100-sqli 1 SQL injection attack detected using libinjection
owasp-crs-v042200-id942140-sqli 1 SQL injection attack: Common DB names detected
owasp-crs-v042200-id942151-sqli 1 SQL injection attack: SQL function name detected
owasp-crs-v042200-id942160-sqli 1 Detects SQLi tests using sleep or benchmark
owasp-crs-v042200-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v042200-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v042200-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v042200-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v042200-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v042200-id942250-sqli 1 Detects MATCH AGAINST, MERGE, and EXECUTE IMMEDIATE injections
owasp-crs-v042200-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql, Oracle, and others
owasp-crs-v042200-id942280-sqli 1 Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
owasp-crs-v042200-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v042200-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure or function injections
owasp-crs-v042200-id942350-sqli 1 Detects MySQL UDF injection and other data or structure manipulation attempts
owasp-crs-v042200-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v042200-id942500-sqli 1 MySQL inline comment detected
owasp-crs-v042200-id942540-sqli 1 SQL Authentication bypass (split query)
owasp-crs-v042200-id942560-sqli 1 MySQL scientific notation payload detected
owasp-crs-v042200-id942550-sqli 1 JSON-Based SQL injection
owasp-crs-v042200-id942120-sqli 2 SQL injection attack: SQL operator detected
owasp-crs-v042200-id942130-sqli 2 SQL injection attack: SQL boolean-based attack detected
owasp-crs-v042200-id942131-sqli 2 SQL injection attack: SQL boolean-based attack detected
owasp-crs-v042200-id942150-sqli 2 SQL injection attack: SQL function name detected
owasp-crs-v042200-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v042200-id942200-sqli 2 Detects MySQL comment- or space-obfuscated injections and backtick termination
owasp-crs-v042200-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v042200-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v042200-id942300-sqli 2 Detects MySQL comments, conditions and ch(a)r injections
owasp-crs-v042200-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v042200-id942330-sqli 2 Detects classic SQL injection probings 1/3
owasp-crs-v042200-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v042200-id942361-sqli 2 Detects basic SQL injection based on keyword alter or union
owasp-crs-v042200-id942362-sqli 2 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v042200-id942370-sqli 2 Detects classic SQL injection probings 2/3
owasp-crs-v042200-id942380-sqli 2 SQL injection attack
owasp-crs-v042200-id942390-sqli 2 SQL injection attack
owasp-crs-v042200-id942400-sqli 2 SQL injection attack
owasp-crs-v042200-id942410-sqli 2 SQL injection attack
owasp-crs-v042200-id942470-sqli 2 SQL injection attack
owasp-crs-v042200-id942480-sqli 2 SQL injection attack
owasp-crs-v042200-id942430-sqli 2 Restricted SQL character anomaly detection (args): # of special characters exceeded (12)
owasp-crs-v042200-id942440-sqli 2 SQL comment sequence detected
owasp-crs-v042200-id942450-sqli 2 SQL hex encoding identified
owasp-crs-v042200-id942510-sqli 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v042200-id942520-sqli 2 Detects basic SQL authentication bypass attempts 4.0/4
owasp-crs-v042200-id942521-sqli 2 Detects basic SQL authentication bypass attempts 4.1/4
owasp-crs-v042200-id942522-sqli 2 Detects basic SQL authentication bypass attempts 4.1/4
owasp-crs-v042200-id942101-sqli 2 SQL injection attack detected using libinjection
owasp-crs-v042200-id942152-sqli 2 SQL injection attack: SQL function name detected
owasp-crs-v042200-id942321-sqli 2 Detects MySQL and PostgreSQL stored procedure or function injections
owasp-crs-v042200-id942251-sqli 3 Detects HAVING injections
owasp-crs-v042200-id942490-sqli 3 Detects classic SQL injection probings 3/3
owasp-crs-v042200-id942420-sqli 3 Restricted SQL character anomaly detection (cookies): # of special characters exceeded (8)
owasp-crs-v042200-id942431-sqli 3 Restricted SQL character anomaly detection (args): # of special characters exceeded (6)
owasp-crs-v042200-id942460-sqli 3 Meta-character anomaly detection alert - repetitive non-word characters
owasp-crs-v042200-id942511-sqli 3 SQLi bypass attempt by ticks detected
owasp-crs-v042200-id942530-sqli 3 SQLi query termination detected
owasp-crs-v042200-id942421-sqli 4 Restricted SQL character anomaly detection (cookies): # of special characters exceeded (3)
owasp-crs-v042200-id942432-sqli 4 Restricted SQL character anomaly detection (args): # of special characters exceeded (2)

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id942100-sqli 1 SQL injection attack detected using libinjection
owasp-crs-v030301-id942140-sqli 1 SQL injection attack: common DB names detected
owasp-crs-v030301-id942160-sqli 1 Detects SQLi tests using sleep or benchmark
owasp-crs-v030301-id942170-sqli 1 Detects SQL sleep or benchmark injection attempts including conditional queries
owasp-crs-v030301-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure or function injections
owasp-crs-v030301-id942350-sqli 1 Detects MySQL UDF injection and other data or structure manipulation attempts
owasp-crs-v030301-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli 1 MySQL inline comment detected
owasp-crs-v030301-id942110-sqli 2 SQL injection attack: common injection testing detected
owasp-crs-v030301-id942120-sqli 2 SQL injection attack: SQL operator detected
owasp-crs-v030301-id942130-sqli 2 SQL injection attack: SQL tautology detected
owasp-crs-v030301-id942150-sqli 2 SQL injection attack
owasp-crs-v030301-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030301-id942200-sqli 2 Detects MySQL comment- or space-obfuscated injections and backtick termination
owasp-crs-v030301-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030301-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030301-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030301-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030301-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030301-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v030301-id942361-sqli 2 Detects basic SQL injection based on keyword alter or union
owasp-crs-v030301-id942370-sqli 2 Detects classic SQL injection probings 2/3
owasp-crs-v030301-id942380-sqli 2 SQL injection attack
owasp-crs-v030301-id942390-sqli 2 SQL injection attack
owasp-crs-v030301-id942400-sqli 2 SQL injection attack
owasp-crs-v030301-id942410-sqli 2 SQL injection attack
owasp-crs-v030301-id942470-sqli 2 SQL injection attack
owasp-crs-v030301-id942480-sqli 2 SQL injection attack
owasp-crs-v030301-id942430-sqli 2 Restricted SQL character anomaly detection (args): # of special characters exceeded (12)
owasp-crs-v030301-id942440-sqli 2 SQL comment sequence detected
owasp-crs-v030301-id942450-sqli 2 SQL hex encoding identified
owasp-crs-v030301-id942510-sqli 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030301-id942251-sqli 3 Detects HAVING injections
owasp-crs-v030301-id942490-sqli 3 Detects classic SQL injection probings 3/3
owasp-crs-v030301-id942420-sqli 3 Restricted SQL character anomaly detection (cookies): # of special characters exceeded (8)
owasp-crs-v030301-id942431-sqli 3 Restricted SQL character anomaly detection (args): # of special characters exceeded (6)
owasp-crs-v030301-id942460-sqli 3 Meta-character anomaly detection alert - repetitive non-word characters
owasp-crs-v030301-id942101-sqli 3 SQL injection attack detected using libinjection
owasp-crs-v030301-id942511-sqli 3 SQLi bypass attempt by ticks detected
owasp-crs-v030301-id942421-sqli 4 Restricted SQL character anomaly detection (cookies): # of special characters exceeded (3)
owasp-crs-v030301-id942432-sqli 4 Restricted SQL character anomaly detection (args): # of special characters exceeded (2)

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 SQL injection attack detected using libinjection
owasp-crs-v030001-id942140-sqli 1 SQL injection attack: common DB names detected
owasp-crs-v030001-id942160-sqli 1 Detects SQLi tests using sleep or benchmark
owasp-crs-v030001-id942170-sqli 1 Detects SQL sleep or benchmark injection attempts including conditional queries
owasp-crs-v030001-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030001-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030001-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030001-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030001-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030001-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030001-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030001-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030001-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure or function injections
owasp-crs-v030001-id942350-sqli 1 Detects MySQL UDF injection and other data or structure manipulation attempts
owasp-crs-v030001-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
Not included 1 MySQL inline comment detected
owasp-crs-v030001-id942110-sqli 2 SQL injection attack: common injection testing detected
owasp-crs-v030001-id942120-sqli 2 SQL injection attack: SQL operator detected
Not included 2 SQL injection attack: SQL tautology detected
owasp-crs-v030001-id942150-sqli 2 SQL injection attack
owasp-crs-v030001-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030001-id942200-sqli 2 Detects MySQL comment- or space-obfuscated injections and backtick termination
owasp-crs-v030001-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030001-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030001-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030001-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030001-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030001-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
Not included 2 Detects basic SQL injection based on keyword alter or union
Not included 2 Detects classic SQL injection probings 2/3
owasp-crs-v030001-id942380-sqli 2 SQL injection attack
owasp-crs-v030001-id942390-sqli 2 SQL injection attack
owasp-crs-v030001-id942400-sqli 2 SQL injection attack
owasp-crs-v030001-id942410-sqli 2 SQL injection attack
Not included 2 SQL injection attack
Not included 2 SQL injection attack
owasp-crs-v030001-id942430-sqli 2 Restricted SQL character anomaly detection (args): # of special characters exceeded (12)
owasp-crs-v030001-id942440-sqli 2 SQL comment sequence detected
owasp-crs-v030001-id942450-sqli 2 SQL hex encoding identified
Not included 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030001-id942251-sqli 3 Detects HAVING injections
Not included 2 Detects classic SQL injection probings 3/3
owasp-crs-v030001-id942420-sqli 3 Restricted SQL character anomaly detection (cookies): # of special characters exceeded (8)
owasp-crs-v030001-id942431-sqli 3 Restricted SQL character anomaly detection (args): # of special characters exceeded (6)
owasp-crs-v030001-id942460-sqli 3 Meta-character anomaly detection alert - repetitive non-word characters
Not included 3 SQL injection attack detected using libinjection
Not included 3 SQLi bypass attempt by ticks detected
owasp-crs-v030001-id942421-sqli 4 Restricted SQL character anomaly detection (cookies): # of special characters exceeded (3)
owasp-crs-v030001-id942432-sqli 4 Restricted SQL character anomaly detection (args): # of special characters exceeded (2)

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sqli-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('sqli-v422-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('sqli-v422-stable', {'sensitivity': 3})
4 evaluatePreconfiguredWaf('sqli-v422-stable', {'sensitivity': 4})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3})
4 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 3})
4 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 4})

Cross-site scripting (XSS)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the XSS preconfigured WAF rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id941100-xss 1 XSS attack detected using libinjection
owasp-crs-v042200-id941110-xss 1 XSS filter - category 1: script tag vector
owasp-crs-v042200-id941130-xss 1 XSS filter - category 3: attribute vector
owasp-crs-v042200-id941140-xss 1 XSS filter - category 4: JavaScript URI vector
owasp-crs-v042200-id941160-xss 1 NoScript XSS InjectionChecker: HTML injection
owasp-crs-v042200-id941170-xss 1 NoScript XSS InjectionChecker: attribute injection
owasp-crs-v042200-id941180-xss 1 Node-validator denylist keywords
owasp-crs-v042200-id941190-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941200-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941210-xss 1 Javascript word detected
owasp-crs-v042200-id941220-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941230-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941240-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941250-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941260-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941270-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941280-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941290-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941300-xss 1 IE XSS filters - attack detected
owasp-crs-v042200-id941310-xss 1 US-ASCII malformed encoding XSS filter - attack detected
owasp-crs-v042200-id941350-xss 1 UTF-7 encoding IE XSS - attack detected
owasp-crs-v042200-id941360-xss 1 Hieroglyphy obfuscation detected
owasp-crs-v042200-id941370-xss 1 JavaScript global variable found
owasp-crs-v042200-id941390-xss 1 Javascript method detected
owasp-crs-v042200-id941400-xss 1 XSS JavaScript function without parentheses
owasp-crs-v042200-id941101-xss 2 XSS attack detected using libinjection
owasp-crs-v042200-id941120-xss 2 XSS filter - category 2: event handler vector
owasp-crs-v042200-id941150-xss 2 XSS filter - category 5: disallowed HTML attributes
owasp-crs-v042200-id941181-xss 2 Node-validator denylist keywords
owasp-crs-v042200-id941320-xss 2 Possible XSS attack detected - HTML tag handler
owasp-crs-v042200-id941330-xss 2 IE XSS filters - attack detected
owasp-crs-v042200-id941340-xss 2 IE XSS filters - attack detected
owasp-crs-v042200-id941380-xss 2 AngularJS client side template injection detected

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id941100-xss 1 XSS attack detected using libinjection
owasp-crs-v030301-id941110-xss 1 XSS filter - category 1: script tag vector
owasp-crs-v030301-id941120-xss 1 XSS filter - category 2: event handler vector
owasp-crs-v030301-id941130-xss 1 XSS filter - category 3: attribute vector
owasp-crs-v030301-id941140-xss 1 XSS filter - category 4: JavaScript URI vector
owasp-crs-v030301-id941160-xss 1 NoScript XSS InjectionChecker: HTML injection
owasp-crs-v030301-id941170-xss 1 NoScript XSS InjectionChecker: attribute injection
owasp-crs-v030301-id941180-xss 1 Node-validator denylist keywords
owasp-crs-v030301-id941190-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941200-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941210-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941220-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941230-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941240-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941250-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941260-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941270-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941280-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941290-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941300-xss 1 IE XSS filters - attack detected
owasp-crs-v030301-id941310-xss 1 US-ASCII malformed encoding XSS filter - attack detected
owasp-crs-v030301-id941350-xss 1 UTF-7 encoding IE XSS - attack detected
owasp-crs-v030301-id941360-xss 1 Hieroglyphy obfuscation detected
owasp-crs-v030301-id941370-xss 1 JavaScript global variable found
owasp-crs-v030301-id941101-xss 2 XSS attack detected using libinjection
owasp-crs-v030301-id941150-xss 2 XSS filter - category 5: disallowed HTML attributes
owasp-crs-v030301-id941320-xss 2 Possible XSS attack detected - HTML tag handler
owasp-crs-v030301-id941330-xss 2 IE XSS filters - attack detected
owasp-crs-v030301-id941340-xss 2 IE XSS filters - attack detected
owasp-crs-v030301-id941380-xss 2 AngularJS client side template injection detected

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 XSS attack detected using libinjection
owasp-crs-v030001-id941110-xss 1 XSS filter - category 1: script tag vector
owasp-crs-v030001-id941120-xss 1 XSS filter - category 2: event handler vector
owasp-crs-v030001-id941130-xss 1 XSS filter - category 3: attribute vector
owasp-crs-v030001-id941140-xss 1 XSS filter - category 4: JavaScript URI vector
owasp-crs-v030001-id941160-xss 1 NoScript XSS InjectionChecker: HTML injection
owasp-crs-v030001-id941170-xss 1 NoScript XSS InjectionChecker: attribute injection
owasp-crs-v030001-id941180-xss 1 Node-validator denylist keywords
owasp-crs-v030001-id941190-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941200-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941210-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941220-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941230-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941240-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941250-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941260-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941270-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941280-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941290-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941300-xss 1 IE XSS filters - attack detected
owasp-crs-v030001-id941310-xss 1 US-ASCII malformed encoding XSS filter - attack detected
owasp-crs-v030001-id941350-xss 1 UTF-7 encoding IE XSS - attack detected
Not included 1 JSF*ck or hieroglyphy obfuscation detected
Not included 1 JavaScript global variable found
Not included 2 XSS attack detected using libinjection
owasp-crs-v030001-id941150-xss 2 XSS filter - category 5: disallowed HTML attributes
owasp-crs-v030001-id941320-xss 2 Possible XSS attack detected - HTML tag handler
owasp-crs-v030001-id941330-xss 2 IE XSS filters - attack detected
owasp-crs-v030001-id941340-xss 2 IE XSS filters - attack detected
Not included 2 AngularJS client side template injection detected

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('xss-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('xss-v422-stable', {'sensitivity': 2})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('xss-stable', {'sensitivity': 1})

Local file inclusion (LFI)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the LFI preconfigured WAF rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id930100-lfi 1 Path traversal attack (/../) or (/.../)
owasp-crs-v042200-id930110-lfi 1 Path traversal attack (/../) or (/.../)
owasp-crs-v042200-id930120-lfi 1 OS file access attempt
owasp-crs-v042200-id930130-lfi 1 Restricted file access attempt
owasp-crs-v042200-id930121-lfi 2 OS file access attempt in REQUEST_HEADERS

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id930100-lfi 1 Path traversal attack (/../)
owasp-crs-v030301-id930110-lfi 1 Path traversal attack (/../)
owasp-crs-v030301-id930120-lfi 1 OS file access attempt
owasp-crs-v030301-id930130-lfi 1 Restricted file access attempt

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id930100-lfi 1 Path traversal attack (/../)
owasp-crs-v030001-id930110-lfi 1 Path traversal attack (/../)
owasp-crs-v030001-id930120-lfi 1 OS file access attempt
owasp-crs-v030001-id930130-lfi 1 Restricted file access attempt

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('lfi-v422-stable', {'sensitivity': 1})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('lfi-stable', {'sensitivity': 1})

Remote code execution (RCE)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the RCE preconfigured WAF rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id932230-rce 1 Remote command execution: UNIX command injection (2-3 chars)
owasp-crs-v042200-id932235-rce 1 Remote command execution: UNIX command injection (command without evasion)
owasp-crs-v042200-id932120-rce 1 Remote command execution: Windows HTML tag handler command found
owasp-crs-v042200-id932125-rce 1 Remote command execution: Windows HTML tag handler alias command injection
owasp-crs-v042200-id932130-rce 1 Remote command execution: UNIX shell expression found
owasp-crs-v042200-id932140-rce 1 Remote command execution: Windows FOR or IF command found
owasp-crs-v042200-id932270-rce 1 Remote command execution: UNIX shell expression found
owasp-crs-v042200-id932250-rce 1 Remote command execution: Direct UNIX command execution
owasp-crs-v042200-id932260-rce 1 Remote command execution: Direct UNIX command execution
owasp-crs-v042200-id932330-rce 1 Remote command execution: UNIX shell history invocation
owasp-crs-v042200-id932160-rce 1 Remote command execution: UNIX shell code found
owasp-crs-v042200-id932170-rce 1 Remote command execution: shellshock (CVE-2014-6271)
owasp-crs-v042200-id932171-rce 1 Remote command execution: shellshock (CVE-2014-6271)
owasp-crs-v042200-id932175-rce 1 Remote command execution: UNIX shell alias invocation
owasp-crs-v042200-id932180-rce 1 Restricted file upload attempt
owasp-crs-v042200-id932370-rce 1 Remote command execution: Windows command injection
owasp-crs-v042200-id932380-rce 1 Remote command execution: Windows command injection
owasp-crs-v042200-id932280-rce 1 Remote command execution: brace expansion found
owasp-crs-v042200-id932231-rce 2 Remote command execution: UNIX command injection
owasp-crs-v042200-id932131-rce 2 Remote command execution: UNIX shell expression found
owasp-crs-v042200-id932200-rce 2 RCE bypass technique
owasp-crs-v042200-id932205-rce 2 RCE bypass technique
owasp-crs-v042200-id932206-rce 2 RCE bypass technique
owasp-crs-v042200-id932220-rce 2 Remote command execution: UNIX command injection with pipe
owasp-crs-v042200-id932240-rce 2 Remote command execution: UNIX command injection evasion attempt detected
owasp-crs-v042200-id932210-rce 2 Remote command execution: SQLite system command execution
owasp-crs-v042200-id932271-rce 2 Remote command execution: UNIX shell expression found
owasp-crs-v042200-id932300-rce 2 Remote command execution: SMTP command execution
owasp-crs-v042200-id932310-rce 2 Remote command execution: IMAP command execution
owasp-crs-v042200-id932320-rce 2 Remote command execution: POP3 command execution
owasp-crs-v042200-id932236-rce 2 Remote command execution: UNIX command injection (command without evasion)
owasp-crs-v042200-id932239-rce 2 Remote command execution: UNIX command injection found in user-agent or referer header
owasp-crs-v042200-id932161-rce 2 Remote command execution: UNIX shell code found in REQUEST_HEADERS
owasp-crs-v042200-id932371-rce 2 Remote command execution: Windows command injection
owasp-crs-v042200-id932281-rce 2 Remote command execution: brace expansion found
owasp-crs-v042200-id932207-rce 2 RCE bypass technique
owasp-crs-v042200-id932232-rce 3 Remote command execution: UNIX command injection
owasp-crs-v042200-id932237-rce 3 Remote command execution: UNIX shell code found in REQUEST_HEADERS
owasp-crs-v042200-id932238-rce 3 Remote command execution: UNIX shell code found in REQUEST_HEADERS
owasp-crs-v042200-id932190-rce 3 Remote command execution: wildcard bypass technique attempt
owasp-crs-v042200-id932301-rce 3 Remote command execution: SMTP command execution
owasp-crs-v042200-id932311-rce 3 Remote command execution: IMAP command execution
owasp-crs-v042200-id932321-rce 3 Remote command execution: POP3 command execution
owasp-crs-v042200-id932331-rce 3 Remote command execution: UNIX shell history invocation

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id932100-rce 1 UNIX command injection
owasp-crs-v030301-id932105-rce 1 UNIX command injection
owasp-crs-v030301-id932110-rce 1 Windows command injection
owasp-crs-v030301-id932115-rce 1 Windows command injection
owasp-crs-v030301-id932120-rce 1 Windows PowerShell command found
owasp-crs-v030301-id932130-rce 1 UNIX shell expression found
owasp-crs-v030301-id932140-rce 1 Windows FOR or IF command found
owasp-crs-v030301-id932150-rce 1 Direct UNIX command execution
owasp-crs-v030301-id932160-rce 1 UNIX shell code found
owasp-crs-v030301-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932171-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932180-rce 1 Restricted file upload attempt
owasp-crs-v030301-id932200-rce 2 RCE bypass technique
owasp-crs-v030301-id932106-rce 3 Remote command execution: UNIX command injection
owasp-crs-v030301-id932190-rce 3 Remote command execution: wildcard bypass technique attempt

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id932100-rce 1 UNIX command injection
owasp-crs-v030001-id932105-rce 1 UNIX command injection
owasp-crs-v030001-id932110-rce 1 Windows command injection
owasp-crs-v030001-id932115-rce 1 Windows command injection
owasp-crs-v030001-id932120-rce 1 Windows PowerShell command found
owasp-crs-v030001-id932130-rce 1 UNIX shell expression found
owasp-crs-v030001-id932140-rce 1 Windows FOR or IF command found
owasp-crs-v030001-id932150-rce 1 Direct UNIX command execution
owasp-crs-v030001-id932160-rce 1 UNIX shell code found
owasp-crs-v030001-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030001-id932171-rce 1 Shellshock (CVE-2014-6271)
Not included 1 Restricted file upload attempt
Not included 2 RCE bypass technique
Not included 3 Remote command execution: UNIX command injection
Not included 3 Remote command execution: wildcard bypass technique attempt

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. All signatures for RCE are at sensitivity level 1. The following configuration works for all sensitivity levels:

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rce-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rce-v422-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('rce-v422-stable', {'sensitivity': 3})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 3})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 3})

Remote file inclusion (RFI)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the RFI preconfigured WAF rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id931100-rfi 1 Possible remote file inclusion (RFI) attack: URL parameter using IP address
owasp-crs-v042200-id931110-rfi 1 Possible remote file inclusion (RFI) attack: common RFI vulnerable parameter name used with URL payload
owasp-crs-v042200-id931120-rfi 1 Possible remote file inclusion (RFI) attack: URL payload used with trailing question mark character (?)
owasp-crs-v042200-id931130-rfi 2 Possible remote file inclusion (RFI) attack: off-domain reference or link
owasp-crs-v042200-id931131-rfi 2 Possible remote file inclusion (RFI) attack: off-domain reference or link

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id931100-rfi 1 URL parameter using IP address
owasp-crs-v030301-id931110-rfi 1 Common RFI vulnerable parameter name used with URL payload
owasp-crs-v030301-id931120-rfi 1 URL payload used with trailing question mark character (?)
owasp-crs-v030301-id931130-rfi 2 Off-domain reference or link

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id931100-rfi 1 URL parameter using IP address
owasp-crs-v030001-id931110-rfi 1 Common RFI vulnerable parameter name used with URL payload
owasp-crs-v030001-id931120-rfi 1 URL payload used with trailing question mark character (?)
owasp-crs-v030001-id931130-rfi 2 Off-domain reference or link

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rfi-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rfi-v422-stable', {'sensitivity': 2})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 2})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 2})

Method enforcement

The following table provides the signature ID, sensitivity level, and description of each supported signature in the method enforcement preconfigured rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id911100-methodenforcement 1 Method isn't allowed by policy

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id911100-methodenforcement 1 Method isn't allowed by policy

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id911100-methodenforcement 1 Method isn't allowed by policy

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('methodenforcement-v422-stable', {'sensitivity': 1})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('methodenforcement-stable', {'sensitivity': 1})

Scanner detection

The following table provides the signature ID, sensitivity level, and description of each supported signature in the scanner detection preconfigured rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id913100-scannerdetection 1 Found user-agent associated with security scanner

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id913100-scannerdetection 1 Found user-agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection 1 Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection 1 Found request filename or argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection 2 Found user-agent associated with scripting or generic HTTP client
owasp-crs-v030301-id913102-scannerdetection 2 Found user-agent associated with web crawler or bot

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id913100-scannerdetection 1 Found user-agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection 1 Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection 1 Found request filename or argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection 2 Found user-agent associated with scripting or generic HTTP client
owasp-crs-v030001-id913102-scannerdetection 2 Found user-agent associated with web crawler or bot

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('scannerdetection-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('scannerdetection-v422-stable', {'sensitivity': 2})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 2})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 2})

Protocol attack

The following table provides the signature ID, sensitivity level, and description of each supported signature in the protocol attack preconfigured rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id921110-protocolattack 1 HTTP request smuggling attack
owasp-crs-v042200-id921120-protocolattack 1 HTTP response splitting attack
owasp-crs-v042200-id921130-protocolattack 1 HTTP response splitting attack
owasp-crs-v042200-id921140-protocolattack 1 HTTP header injection attack using headers
owasp-crs-v042200-id921150-protocolattack 1 HTTP header injection attack using payload (CR/LF detected)
owasp-crs-v042200-id921160-protocolattack 1 HTTP header injection attack using payload (CR/LF and header-name detected)
owasp-crs-v042200-id921190-protocolattack 1 HTTP splitting (CR/LF in request filename detected)
owasp-crs-v042200-id921200-protocolattack 1 LDAP injection attack
owasp-crs-v042200-id921421-protocolattack 1 Content-Type header: dangerous Content-Type outside the mime type declaration
owasp-crs-v042200-id921240-protocolattack 1 mod_proxy attack attempt detected
owasp-crs-v042200-id921250-protocolattack 1 Old cookies v1 usage attempt detected
owasp-crs-v042200-id921151-protocolattack 2 HTTP header injection attack using payload (CR/LF detected)
owasp-crs-v042200-id921422-protocolattack 2 Content-Type header: dangerous Content-Type outside the mime type declaration
owasp-crs-v042200-id921230-protocolattack 3 HTTP range header detected
owasp-crs-v042200-id921170-protocolattack 3 HTTP parameter pollution (%{MATCHED_VAR_NAME})
owasp-crs-v042200-id921210-protocolattack 3 HTTP parameter pollution after detecting bogus character after parameter array
owasp-crs-v042200-id921220-protocolattack 4 HTTP parameter pollution possible using array notation

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
Not included 1 HTTP request smuggling attack
owasp-crs-v030301-id921110-protocolattack 1 HTTP request smuggling attack
owasp-crs-v030301-id921120-protocolattack 1 HTTP response splitting attack
owasp-crs-v030301-id921130-protocolattack 1 HTTP response splitting attack
owasp-crs-v030301-id921140-protocolattack 1 HTTP header injection attack using headers
owasp-crs-v030301-id921150-protocolattack 1 HTTP header injection attack using payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack 1 HTTP header injection attack using payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack 1 HTTP splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack 1 LDAP injection attack
owasp-crs-v030301-id921151-protocolattack 2 HTTP header injection attack using payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack 3 HTTP parameter pollution

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id921100-protocolattack 1 HTTP request smuggling attack
owasp-crs-v030001-id921110-protocolattack 1 HTTP request smuggling attack
owasp-crs-v030001-id921120-protocolattack 1 HTTP response splitting attack
owasp-crs-v030001-id921130-protocolattack 1 HTTP response splitting attack
owasp-crs-v030001-id921140-protocolattack 1 HTTP header injection attack using headers
owasp-crs-v030001-id921150-protocolattack 1 HTTP header injection attack using payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack 1 HTTP header injection attack using payload (CR/LF and header-name detected)
Not included 1 HTTP splitting (CR/LF in request filename detected)
Not included 1 LDAP injection attack
owasp-crs-v030001-id921151-protocolattack 2 HTTP header injection attack using payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack 3 HTTP parameter pollution

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('protocolattack-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('protocolattack-v422-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('protocolattack-v422-stable', {'sensitivity': 3})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 3})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 3})

PHP

The following table provides the signature ID, sensitivity level, and description of each supported signature in the PHP preconfigured WAF rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id933100-php 1 PHP injection attack: PHP open tag found
owasp-crs-v042200-id933110-php 1 PHP injection attack: PHP script file upload found
owasp-crs-v042200-id933120-php 1 PHP injection attack: configuration directive found
owasp-crs-v042200-id933130-php 1 PHP injection attack: variables found
owasp-crs-v042200-id933135-php 1 PHP injection attack: variables access found
owasp-crs-v042200-id933140-php 1 PHP injection attack: I/O stream found
owasp-crs-v042200-id933200-php 1 PHP injection attack: wrapper scheme detected
owasp-crs-v042200-id933150-php 1 PHP injection attack: high-risk PHP function name found
owasp-crs-v042200-id933160-php 1 PHP injection attack: high-risk PHP function call found
owasp-crs-v042200-id933170-php 1 PHP injection attack: serialized object injection
owasp-crs-v042200-id933180-php 1 PHP injection attack: variable function call found
owasp-crs-v042200-id933210-php 1 PHP injection attack: variable function call found
owasp-crs-v042200-id933151-php 2 PHP injection attack: medium-risk PHP function name found
owasp-crs-v042200-id933152-php 2 PHP injection attack: medium-risk PHP function name found
owasp-crs-v042200-id933153-php 2 PHP injection attack: medium-risk PHP function name found
owasp-crs-v042200-id933131-php 3 PHP injection attack: variables found
owasp-crs-v042200-id933161-php 3 PHP injection attack: low-value PHP function call found
owasp-crs-v042200-id933111-php 3 PHP injection attack: PHP script file upload found
owasp-crs-v042200-id933190-php 3 PHP injection attack: PHP closing tag found
owasp-crs-v042200-id933211-php 3 PHP injection attack: variable function call found

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id933100-php 1 PHP injection attack: PHP open tag found
owasp-crs-v030301-id933110-php 1 PHP injection attack: PHP script file upload found
owasp-crs-v030301-id933120-php 1 PHP injection attack: configuration directive found
owasp-crs-v030301-id933130-php 1 PHP injection attack: variables found
owasp-crs-v030301-id933140-php 1 PHP injection attack: I/O stream found
owasp-crs-v030301-id933200-php 1 PHP injection attack: wrapper scheme detected
owasp-crs-v030301-id933150-php 1 PHP injection attack: high-risk PHP function name found
owasp-crs-v030301-id933160-php 1 PHP injection attack: high-risk PHP function call found
owasp-crs-v030301-id933170-php 1 PHP injection attack: serialized object injection
owasp-crs-v030301-id933180-php 1 PHP injection attack: variable function call found
owasp-crs-v030301-id933210-php 1 PHP injection attack: variable function call found
owasp-crs-v030301-id933151-php 2 PHP injection attack: medium-risk PHP function name found
owasp-crs-v030301-id933131-php 3 PHP injection attack: variables found
owasp-crs-v030301-id933161-php 3 PHP injection attack: low-value PHP function call found
owasp-crs-v030301-id933111-php 3 PHP injection attack: PHP script file upload found
owasp-crs-v030301-id933190-php 3 PHP injection attack: PHP closing tag found

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id933100-php 1 PHP injection attack: PHP open tag found
owasp-crs-v030001-id933110-php 1 PHP injection attack: PHP script file upload found
owasp-crs-v030001-id933120-php 1 PHP injection attack: configuration directive found
owasp-crs-v030001-id933130-php 1 PHP injection attack: variables found
owasp-crs-v030001-id933140-php 1 PHP injection attack: I/O stream found
Not included 1 PHP injection attack: wrapper scheme detected
owasp-crs-v030001-id933150-php 1 PHP injection attack: high-risk PHP function name found
owasp-crs-v030001-id933160-php 1 PHP injection attack: high-risk PHP function call found
owasp-crs-v030001-id933170-php 1 PHP injection attack: serialized object injection
owasp-crs-v030001-id933180-php 1 PHP injection attack: variable function call found
Not included 1 PHP injection attack: variable function call found
owasp-crs-v030001-id933151-php 2 PHP injection attack: medium-risk PHP function name found
owasp-crs-v030001-id933131-php 3 PHP injection attack: variables found
owasp-crs-v030001-id933161-php 3 PHP injection attack: low-value PHP function call found
owasp-crs-v030001-id933111-php 3 PHP injection attack: PHP script file upload found
Not included 3 PHP injection attack: PHP closing tag found

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('php-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('php-v422-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('php-v422-stable', {'sensitivity': 3})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 3})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('php-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('php-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('php-stable', {'sensitivity': 3})

Session fixation

The following table provides the signature ID, sensitivity level, and description of each supported signature in the session fixation preconfigured rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id943100-sessionfixation 1 Possible session fixation attack: setting cookie values in HTML
owasp-crs-v042200-id943110-sessionfixation 1 Possible session fixation attack: session ID parameter name with off-domain referer
owasp-crs-v042200-id943120-sessionfixation 1 Possible session fixation attack: session ID parameter name with no referer

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id943100-sessionfixation 1 Possible session fixation attack: setting cookie values in HTML
owasp-crs-v030301-id943110-sessionfixation 1 Possible session fixation attack: session ID parameter name with off-domain referer
owasp-crs-v030301-id943120-sessionfixation 1 Possible session fixation attack: session ID parameter name with no referer

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id943100-sessionfixation 1 Possible session fixation attack: setting cookie values in HTML
owasp-crs-v030001-id943110-sessionfixation 1 Possible session fixation attack: session ID parameter name with off-domain referer
owasp-crs-v030001-id943120-sessionfixation 1 Possible session fixation attack: session ID parameter name with no referer

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. All signatures for session fixation are at sensitivity level 1. The following configuration works for all sensitivity levels:

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sessionfixation-v422-stable', {'sensitivity': 1})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sessionfixation-stable', {'sensitivity': 1})

Java attack

The following table provides the signature ID, sensitivity level, and description of each supported signature in the Java attack preconfigured rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id944100-java 1 Remote command execution: suspicious Java class detected
owasp-crs-v042200-id944110-java 1 Remote command execution: Java process spawn (CVE-2017-9805)
owasp-crs-v042200-id944120-java 1 Remote command execution: Java serialization (CVE-2015-4852)
owasp-crs-v042200-id944130-java 1 Suspicious Java class detected
owasp-crs-v042200-id944140-java 1 Java injection attack: Javascript file upload found
owasp-crs-v042200-id944150-java 1 Potential remote command execution: Log4j or Log4shell
owasp-crs-v042200-id944151-java 2 Potential remote command execution: Log4j or Log4shell
owasp-crs-v042200-id944200-java 2 Magic bytes detected, probable Java serialization in use
owasp-crs-v042200-id944210-java 2 Magic bytes detected Base64 encoded, probable Java serialization in use
owasp-crs-v042200-id944240-java 2 Remote command execution: Java serialization (CVE-2015-4852)
owasp-crs-v042200-id944250-java 2 Remote command execution: suspicious Java method detected
owasp-crs-v042200-id944260-java 2 Remote command execution: malicious class-loading payload
owasp-crs-v042200-id944300-java 3 Base64 encoded string matched suspicious keyword
owasp-crs-v042200-id944152-java 4 Potential remote command execution: Log4j or Log4shell

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id944100-java 1 Remote command execution: suspicious Java class detected
owasp-crs-v030301-id944110-java 1 Remote command execution: Java process spawn (CVE-2017-9805)
owasp-crs-v030301-id944120-java 1 Remote command execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944130-java 1 Suspicious Java class detected
owasp-crs-v030301-id944200-java 2 Magic bytes detected, probable Java serialization in use
owasp-crs-v030301-id944210-java 2 Magic bytes detected Base64 encoded, probable Java serialization in use
owasp-crs-v030301-id944240-java 2 Remote command execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944250-java 2 Remote command execution: suspicious Java method detected
owasp-crs-v030301-id944300-java 3 Base64 encoded string matched suspicious keyword

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 Remote command execution: suspicious Java class detected
Not included 1 Remote command execution: Java process spawn (CVE-2017-9805)
Not included 1 Remote command execution: Java serialization (CVE-2015-4852)
Not included 1 Suspicious Java class detected
Not included 2 Magic bytes detected, probable Java serialization in use
Not included 2 Magic bytes detected Base64 encoded, probable Java serialization in use
Not included 2 Remote command execution: Java serialization (CVE-2015-4852)
Not included 2 Remote command execution: suspicious Java method detected
Not included 3 Base64 encoded string matched suspicious keyword

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('java-v422-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('java-v422-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('java-v422-stable', {'sensitivity': 3})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3})

Generic attack

The following table provides the signature ID, sensitivity level, and description of each supported signature in the generic attack preconfigured rule.

CRS 4.22

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v042200-id934100-generic 1 Node.js injection attack 1/2
owasp-crs-v042200-id934110-generic 1 Possible server side request forgery (SSRF) attack: cloud provider metadata URL in parameter
owasp-crs-v042200-id934130-generic 1 JavaScript prototype pollution
owasp-crs-v042200-id934150-generic 1 Ruby injection attack
owasp-crs-v042200-id934160-generic 1 Node.js DoS attack
owasp-crs-v042200-id934170-generic 1 PHP data scheme attack
owasp-crs-v042200-id934101-generic 2 Node.js injection attack 2/2
owasp-crs-v042200-id934120-generic 2 Possible server side request forgery (SSRF) attack: URL parameter using IP address
owasp-crs-v042200-id934140-generic 2 Perl injection attack
owasp-crs-v042200-id934180-generic 2 SSTI attack

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id934100-nodejs 1 Node.js injection attack

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 Node.js injection attack

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. All signatures for NodeJS attack are at sensitivity level 1. The following configuration works for other sensitivity levels:

CRS 4.22

Sensitivity level Expression
1 evaluatePreconfiguredWaf('generic-v422-stable', {'sensitivity': 1})

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('nodejs-v33-stable', {'sensitivity': 1})

Cloud Armor WAF rules comparison: CRS 3.3 and CRS 4.22

The following table provides the full list of differences between the Cloud Armor CRS 3.3 and CRS 4.22 rule sets.

The nodejs category from CRS 3.3 was renamed to generic in CRS 4.22, though they share the same rule ID prefix "934". CRS 4.22 is recommended for modern threat protection.

Category OWASP rule Rule ID In CRS 3.3 In CRS 4.22 Status
Cross-site scripting (XSS)xss-v422-stable941100YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941101YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941110YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941120YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941130YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941140YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941150YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941160YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941170YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941180YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941181NoYes4.22 Only
Cross-site scripting (XSS)xss-v422-stable941190YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941200YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941210YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941220YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941230YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941240YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941250YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941260YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941270YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941280YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941290YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941300YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941310YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941320YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941330YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941340YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941350YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941360YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941370YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941380YesYesBoth
Cross-site scripting (XSS)xss-v422-stable941390NoYes4.22 Only
Cross-site scripting (XSS)xss-v422-stable941400NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934100YesYesBoth
Generic (NodeJS)generic-v422-stable934101NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934110NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934120NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934130NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934140NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934150NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934160NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934170NoYes4.22 Only
Generic (NodeJS)generic-v422-stable934180NoYes4.22 Only
Javajava-v422-stable944100YesYesBoth
Javajava-v422-stable944110YesYesBoth
Javajava-v422-stable944120YesYesBoth
Javajava-v422-stable944130YesYesBoth
Javajava-v422-stable944140NoYes4.22 Only
Javajava-v422-stable944150NoYes4.22 Only
Javajava-v422-stable944151NoYes4.22 Only
Javajava-v422-stable944152NoYes4.22 Only
Javajava-v422-stable944200YesYesBoth
Javajava-v422-stable944210YesYesBoth
Javajava-v422-stable944240YesYesBoth
Javajava-v422-stable944250YesYesBoth
Javajava-v422-stable944260NoYes4.22 Only
Javajava-v422-stable944300YesYesBoth
Local file inclusion (LFI)lfi-v422-stable930100YesYesBoth
Local file inclusion (LFI)lfi-v422-stable930110YesYesBoth
Local file inclusion (LFI)lfi-v422-stable930120YesYesBoth
Local file inclusion (LFI)lfi-v422-stable930121NoYes4.22 Only
Local file inclusion (LFI)lfi-v422-stable930130YesYesBoth
Method enforcementmethodenforcement-v422-stable911100YesYesBoth
PHPphp-v422-stable933100YesYesBoth
PHPphp-v422-stable933110YesYesBoth
PHPphp-v422-stable933111YesYesBoth
PHPphp-v422-stable933120YesYesBoth
PHPphp-v422-stable933130YesYesBoth
PHPphp-v422-stable933131YesYesBoth
PHPphp-v422-stable933135NoYes4.22 Only
PHPphp-v422-stable933140YesYesBoth
PHPphp-v422-stable933150YesYesBoth
PHPphp-v422-stable933151YesYesBoth
PHPphp-v422-stable933152NoYes4.22 Only
PHPphp-v422-stable933153NoYes4.22 Only
PHPphp-v422-stable933160YesYesBoth
PHPphp-v422-stable933161YesYesBoth
PHPphp-v422-stable933170YesYesBoth
PHPphp-v422-stable933180YesYesBoth
PHPphp-v422-stable933190YesYesBoth
PHPphp-v422-stable933200YesYesBoth
PHPphp-v422-stable933210YesYesBoth
PHPphp-v422-stable933211NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921110YesYesBoth
Protocol attackprotocolattack-v422-stable921120YesYesBoth
Protocol attackprotocolattack-v422-stable921130YesYesBoth
Protocol attackprotocolattack-v422-stable921140YesYesBoth
Protocol attackprotocolattack-v422-stable921150YesYesBoth
Protocol attackprotocolattack-v422-stable921151YesYesBoth
Protocol attackprotocolattack-v422-stable921160YesYesBoth
Protocol attackprotocolattack-v422-stable921170YesYesBoth
Protocol attackprotocolattack-v422-stable921190YesYesBoth
Protocol attackprotocolattack-v422-stable921200YesYesBoth
Protocol attackprotocolattack-v422-stable921210NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921220NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921230NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921240NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921250NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921421NoYes4.22 Only
Protocol attackprotocolattack-v422-stable921422NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932100YesNo3.3 Only
Remote code execution (RCE)rce-v422-stable932105YesNo3.3 Only
Remote code execution (RCE)rce-v422-stable932106YesNo3.3 Only
Remote code execution (RCE)rce-v422-stable932110YesNo3.3 Only
Remote code execution (RCE)rce-v422-stable932115YesNo3.3 Only
Remote code execution (RCE)rce-v422-stable932120YesYesBoth
Remote code execution (RCE)rce-v422-stable932125NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932130YesYesBoth
Remote code execution (RCE)rce-v422-stable932131NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932140YesYesBoth
Remote code execution (RCE)rce-v422-stable932150YesNo3.3 Only
Remote code execution (RCE)rce-v422-stable932160YesYesBoth
Remote code execution (RCE)rce-v422-stable932161NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932170YesYesBoth
Remote code execution (RCE)rce-v422-stable932171YesYesBoth
Remote code execution (RCE)rce-v422-stable932175NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932180YesYesBoth
Remote code execution (RCE)rce-v422-stable932190YesYesBoth
Remote code execution (RCE)rce-v422-stable932200YesYesBoth
Remote code execution (RCE)rce-v422-stable932205NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932206NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932207NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932210NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932220NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932230NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932231NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932232NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932235NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932236NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932237NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932238NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932239NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932240NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932250NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932260NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932270NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932271NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932280NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932281NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932300NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932301NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932310NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932311NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932320NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932321NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932330NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932331NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932370NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932371NoYes4.22 Only
Remote code execution (RCE)rce-v422-stable932380NoYes4.22 Only
Remote file inclusion (RFI)rfi-v422-stable931100YesYesBoth
Remote file inclusion (RFI)rfi-v422-stable931110YesYesBoth
Remote file inclusion (RFI)rfi-v422-stable931120YesYesBoth
Remote file inclusion (RFI)rfi-v422-stable931130YesYesBoth
Remote file inclusion (RFI)rfi-v422-stable931131NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942100YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942101YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942110YesNo3.3 Only
SQL Injection (SQLi)sqli-v422-stable942120YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942130YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942131NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942140YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942150YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942151NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942152NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942160YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942170YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942180YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942190YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942200YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942210YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942220YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942230YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942240YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942250YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942251YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942260YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942270YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942280YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942290YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942300YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942310YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942320YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942321NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942330YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942340YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942350YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942360YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942361YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942362NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942370YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942380YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942390YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942400YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942410YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942420YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942421YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942430YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942431YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942432YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942440YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942450YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942460YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942470YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942480YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942490YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942500YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942510YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942511YesYesBoth
SQL Injection (SQLi)sqli-v422-stable942520NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942521NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942522NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942530NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942540NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942550NoYes4.22 Only
SQL Injection (SQLi)sqli-v422-stable942560NoYes4.22 Only
Scanner detectionscannerdetection-v422-stable913100YesYesBoth
Scanner detectionscannerdetection-v422-stable913101YesNo3.3 Only
Scanner detectionscannerdetection-v422-stable913102YesNo3.3 Only
Scanner detectionscannerdetection-v422-stable913110YesNo3.3 Only
Scanner detectionscannerdetection-v422-stable913120YesNo3.3 Only
Session fixationsessionfixation-v422-stable943100YesYesBoth
Session fixationsessionfixation-v422-stable943110YesYesBoth
Session fixationsessionfixation-v422-stable943120YesYesBoth

CVEs and other vulnerabilities

The following table provides the signature ID, sensitivity level, and description of each supported signature in the React RCE vulnerability rule to help detect and mitigate CVE-2025-55182.

Signature ID (Rule ID) Sensitivity level Description
google-mrs-v202512-id000001-rce 0 React RCE vulnerability to help detect and mitigate CVE-2025-55182
google-mrs-v202512-id000002-rce 0 React RCE vulnerability to help detect and mitigate CVE-2025-55182

Use the following expression to help detect and mitigate CVE-2025-55182:

(has(request.headers['next-action']) || has(request.headers['rsc-action-id']) ||request.headers['content-type'].contains('multipart/form-data') || request.headers['content-type'].contains('application/x-www-form-urlencoded') ) && evaluatePreconfiguredWaf('cve-canary',{'sensitivity': 0, 'opt_in_rule_ids': ['google-mrs-v202512-id000001-rce', 'google-mrs-v202512-id000002-rce']})

The following table provides the signature ID, sensitivity level, and description of each supported signature in the CVE Log4j RCE vulnerability preconfigured rule.

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id044228-cve 1 Base rule to help detect exploit attempts of CVE-2021-44228 & CVE-2021-45046
owasp-crs-v030001-id144228-cve 1 Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve 3 Increased sensitivity of detection to target even more bypass and obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve 3 Increased sensitivity of detection to target even more bypass and obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.

Sensitivity level Expression
1 evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 3})

JSON-formatted content SQLi vulnerability

The following table provides the signature ID, sensitivity level, and description of the supported signature 942550-sqli, which covers the vulnerability in which malicious attackers can bypass WAF by appending JSON syntax to SQL injection payloads.

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-id942550-sqli 2 Detects all JSON-based SQLi vectors, including SQLi signatures found in the URL

Use the following expression to deploy the signature:

  evaluatePreconfiguredWaf('json-sqli-canary', {'sensitivity':0, 'opt_in_rule_ids': ['owasp-crs-id942550-sqli']})

We recommend that you also enable sqli-v33-stable at sensitivity level 2 to fully address JSON-based SQL injection bypasses.

Limitations

Cloud Armor preconfigured WAF rules have the following limitations:

  • WAF rule changes typically take several minutes to propagate.
  • Among the HTTP request types with a request body, Cloud Armor processes only requests with a body. Cloud Armor evaluates preconfigured rules against the first 64 KB of request body content. For more information, see Request body inspection limitation.
  • When JSON parsing is enabled, Cloud Armor can parse and apply preconfigured WAF rules to JSON-formatted content. For more information, see Request body content parsing.
  • If you exclude request fields from inspection for a preconfigured WAF rule to reduce false positives, you can't use the allow action with that rule. Request fields that are explicitly excluded from inspection are automatically allowed.
  • Cloud Armor preconfigured WAF rules can only be used with backend services behind a load balancer. Therefore, load balancing quotas and limits apply to your deployment. For more information, see the load balancing quotas.

What's next