The following rule is used to avoid XSS attacks by checking for a <script> pattern in the request parameters and header and generates an ‘XSS Attack’ message with a 404 status response.

SecRule ARGS|REQUEST_HEADERS "@rx <script>" \

    "id:101,\

    deny,\

    status:404,\

    msg:'XSS Attack'"

Variables

Details about the variables in this rule example are in the table below:

Variable

Definition

 
ARGS

Request parameters

 
REQUEST_HEADERS

All of the request headers

Operator

“@rx <script>” – Performs a regular expression match of the pattern (in this case <script>) provided as a parameter.

Actions

Details of the actions contained in this rule example are provided in the table below:

Action(s)

Description

 
id, msg, severity, deny, status

These are all of the actions to be performed if the pattern is matched.

 
id:101

The unique ID that is assigned to the rule (or chain) in which it appears.

 
msg: “XSS Attack”

The custom message (i.e. XSS Attack) assigned to the rule (or chain) in which it appears.

 
deny

This stops rule processing and intercepts transaction. This is a disruptive action.

 
status:404

This specifies the response status code (404) with actions deny and redirect.