SpiderLabs · fgsch · Oct 31, 2019 · Oct 31, 2019
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1522,7 +1522,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
     log,\
     msg:'Abnormal character escapes in request',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\

diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -35,7 +35,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
     msg:'HTTP Request Smuggling Attack',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -68,7 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,\
+    t:none,t:lowercase,\
     msg:'HTTP Response Splitting Attack',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
     msg:'HTTP Response Splitting Attack',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -154,7 +154,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,\
+    t:none,t:htmlEntityDecode,\
     msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -176,7 +176,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
     phase:1,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
     msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
@@ -318,7 +318,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\
+    t:none,t:cmdLine,t:lowercase,\
     msg:'Remote Command Execution: Windows PowerShell Command Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:cmdLine,\
+    t:none,t:cmdLine,\
     msg:'Remote Command Execution: Unix Shell Expression Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -406,7 +406,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:cmdLine,\
+    t:none,t:cmdLine,\
     msg:'Remote Command Execution: Windows FOR/IF Command Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -498,7 +498,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\
+    t:none,t:cmdLine,t:normalizePath,t:lowercase,\
     msg:'Remote Command Execution: Unix Shell Code Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -48,7 +48,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,\
+    t:none,t:lowercase,\
     msg:'PHP Injection Attack: PHP Open Tag Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
+    t:none,t:normalisePath,t:lowercase,\
     msg:'PHP Injection Attack: Configuration Directive Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -624,7 +624,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+    t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
     msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -656,7 +656,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+    t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
     msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -885,7 +885,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
+    t:none,t:jsDecode,t:lowercase,\
     msg:'Possible XSS Attack Detected - HTML Tag Handler',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -910,7 +910,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
+    t:none,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -938,7 +938,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
+    t:none,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@@ -56,7 +56,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,\
+    t:none,t:lowercase,\
     msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -85,7 +85,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,\
+    t:none,t:lowercase,\
     msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml
@@ -15,7 +15,7 @@
             dest_addr: 127.0.0.1
             method: GET
             port: 80
-            uri: /xx?id=%25252bADw-script%25252bAD4-
+            uri: /xx?id=%252bADw-script%252bAD4-
             headers:
               Accept: "*/*"
               Host: localhost