Frontdoor - Legacy Default Rule Set preview-0.1¶
Generated: 22 February 2026 | Total Rules: 107
DefaultRuleSet preview-0.1¶
LFI - Local file inclusion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 930100 | LFI | Path Traversal Attack (/../) using Encoded Payloads | Block | Enabled | |
| 930110 | LFI | Path Traversal Attack (/../) using Decoded Payloads | Block | Enabled | |
| 930130 | LFI | Restricted File Access Attempt | Block | Enabled |
RFI - Remote file inclusion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 931100 | RFI | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address | Block | Enabled | |
| 931110 | RFI | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload | Block | Enabled | |
| 931120 | RFI | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) | Block | Enabled | |
| 931130 | RFI | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | Block | Enabled |
RCE - Remote Command Execution attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 932100 | RCE | Remote Command Execution: Unix Command Injection | Block | Enabled | |
| 932105 | RCE | Remote Command Execution: Unix Command Injection | Block | Enabled | |
| 932106 | RCE | Remote Command Execution: Unix Command Injection | Block | Enabled | |
| 932110 | RCE | Remote Command Execution: Windows Command Injection | Block | Enabled | |
| 932115 | RCE | Remote Command Execution: Windows Command Injection | Block | Enabled | |
| 932130 | RCE | Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found | Block | Enabled | |
| 932140 | RCE | Remote Command Execution: Windows FOR/IF Command Found | Block | Enabled | |
| 932150 | RCE | Remote Command Execution: Direct Unix Command Execution | Block | Enabled | |
| 932170 | RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | Block | Enabled | |
| 932171 | RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | Block | Enabled | |
| 932190 | RCE | Remote Command Execution: Wildcard | Block | Enabled |
PHP - PHP attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 933100 | PHP | PHP Injection Attack: Opening/Closing Tag Found | Block | Enabled | |
| 933110 | PHP | PHP Injection Attack: PHP Script File Upload Found | Block | Enabled | |
| 933111 | PHP | PHP Injection Attack: PHP Script File Upload Found | Block | Enabled | |
| 933131 | PHP | PHP Injection Attack: Variables Found | Block | Enabled | |
| 933140 | PHP | PHP Injection Attack: I/O Stream Found | Block | Enabled | |
| 933160 | PHP | PHP Injection Attack: High-Risk PHP Function Call Found | Block | Enabled | |
| 933161 | PHP | PHP Injection Attack: Low-Value PHP Function Call Found | Block | Enabled | |
| 933170 | PHP | PHP Injection Attack: Serialized Object Injection | Block | Enabled | |
| 933180 | PHP | PHP Injection Attack: Variable Function Call Found | Block | Enabled | |
| 933190 | PHP | PHP Injection Attack: PHP Closing Tag Found | Block | Enabled | |
| 933200 | PHP | PHP Injection Attack: Abusing of PHP wrappers could lead to RCE | Block | Enabled | |
| 933210 | PHP | PHP Injection Attack: Variable Function Call Found (bypass 933180) | Block | Enabled |
XSS - Cross-site scripting¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 941100 | XSS | XSS Attack Detected via libinjection | Block | Enabled | |
| 941101 | XSS | XSS Attack Detected via libinjection | Block | Enabled | |
| 941110 | XSS | XSS Filter - Category 1: Script Tag Vector | Block | Enabled | |
| 941120 | XSS | XSS Filter - Category 2: Event Handler Vector (replaced by rule #99032001) | Block | Enabled | |
| 941130 | XSS | XSS Filter - Category 3: Attribute Vector | Block | Enabled | |
| 941140 | XSS | XSS Filter - Category 4: Javascript URI Vector | Block | Enabled | |
| 941150 | XSS | XSS Filter - Category 5: Disallowed HTML Attributes | Block | Enabled | |
| 941160 | XSS | NoScript XSS InjectionChecker: HTML Injection | Block | Enabled | |
| 941170 | XSS | NoScript XSS InjectionChecker: Attribute Injection | Block | Enabled | |
| 941180 | XSS | Node-Validator Blacklist Keywords | Block | Enabled | |
| 941190 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941200 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941210 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941220 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941230 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941240 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941250 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941260 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941270 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941280 | XSS | IE XSS Filters - Attack Detected | Block | Enabled | |
| 941290 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941300 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941310 | XSS | US-ASCII Malformed Encoding XSS Filter - Attack Detected. | Block | Enabled | |
| 941320 | XSS | Possible XSS Attack Detected - HTML Tag Handler | Block | Enabled | |
| 941330 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941340 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941350 | XSS | UTF-7 Encoding IE XSS - Attack Detected. | Block | Enabled | |
| 941360 | XSS | JSFuck / Hieroglyphy obfuscation detected | Block | Enabled |
SQLI - SQL injection¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 942100 | SQLI | SQL Injection Attack Detected via libinjection | Block | Enabled | |
| 942110 | SQLI | SQL Injection Attack: Common Injection Testing Detected (replaced by rule #99031001) | Block | Enabled | |
| 942120 | SQLI | SQL Injection Attack: SQL Operator Detected | Block | Enabled | |
| 942140 | SQLI | SQL Injection Attack: Common DB Names Detected | Block | Enabled | |
| 942160 | SQLI | Detects blind sqli tests using sleep() or benchmark(). | Block | Enabled | |
| 942170 | SQLI | Detects SQL benchmark and sleep injection attempts including conditional queries | Block | Enabled | |
| 942180 | SQLI | Detects basic SQL authentication bypass attempts ⅓ | Block | Enabled | |
| 942190 | SQLI | Detects MSSQL code execution and information gathering attempts | Block | Enabled | |
| 942200 | SQLI | Detects MySQL comment-/space-obfuscated injections and backtick termination | Block | Enabled | |
| 942210 | SQLI | Detects chained SQL injection attempts ½ | Block | Enabled | |
| 942220 | SQLI | Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash | Block | Enabled | |
| 942230 | SQLI | Detects conditional SQL injection attempts | Block | Enabled | |
| 942240 | SQLI | Detects MySQL charset switch and MSSQL DoS attempts | Block | Enabled | |
| 942250 | SQLI | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections | Block | Enabled | |
| 942251 | SQLI | Detects HAVING injections | Block | Enabled | |
| 942260 | SQLI | Detects basic SQL authentication bypass attempts ⅔ | Block | Enabled | |
| 942270 | SQLI | Looking for basic sql injection. Common attack string for mysql, oracle and others. | Block | Enabled | |
| 942280 | SQLI | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts | Block | Enabled | |
| 942290 | SQLI | Finds basic MongoDB SQL injection attempts | Block | Enabled | |
| 942300 | SQLI | Detects MySQL comments, conditions and ch(a)r injections | Block | Enabled | |
| 942310 | SQLI | Detects chained SQL injection attempts 2/2 | Block | Enabled | |
| 942320 | SQLI | Detects MySQL and PostgreSQL stored procedure/function injections | Block | Enabled | |
| 942330 | SQLI | Detects classic SQL injection probings ⅓ | Block | Enabled | |
| 942340 | SQLI | Detects basic SQL authentication bypass attempts 3/3 | Block | Enabled | |
| 942350 | SQLI | Detects MySQL UDF injection and other data/structure manipulation attempts | Block | Enabled | |
| 942360 | SQLI | Detects concatenated basic SQL injection and SQLLFI attempts | Block | Enabled | |
| 942361 | SQLI | Detects basic SQL injection based on keyword alter or union | Block | Enabled | |
| 942370 | SQLI | Detects classic SQL injection probings ⅔ | Block | Enabled | |
| 942380 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942390 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942400 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942410 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942430 | SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) | Block | Enabled | |
| 942431 | SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) | Block | Enabled | |
| 942432 | SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) | Block | Enabled | |
| 942440 | SQLI | SQL Comment Sequence Detected. | Block | Enabled | |
| 942450 | SQLI | SQL Hex Encoding Identified | Block | Enabled | |
| 942470 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942480 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942490 | SQLI | Detects classic SQL injection probings 3/3 | Block | Enabled |
FIX - Session Fixation attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 943100 | FIX | Possible Session Fixation Attack: Setting Cookie Values in HTML | Block | Enabled |
JAVA - Java attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 944100 | JAVA | Java: possible payload execution | Block | Enabled | |
| 944110 | JAVA | Java: possible payload execution | Block | Enabled | |
| 944120 | JAVA | Java: possible payload execution | Block | Enabled | |
| 944200 | JAVA | Java: deserialization that could lead to payload execution | Block | Enabled | |
| 944210 | JAVA | Java: base64 attack that could lead to payload execution | Block | Enabled | |
| 944240 | JAVA | Java: possible payload execution | Block | Enabled | |
| 944250 | JAVA | Java: possible payload execution | Block | Enabled | |
| 944300 | JAVA | Java: base64 attack that could lead to payload execution | Block | Enabled |