WAF Protection Catalog¶
This is the canonical list of every protection Barbacana ships. It's the source you name in a route's disable: or enable: list, the values you'll see in matched_protections in the audit log, and the labels on waf_* Prometheus metrics.
Generated from the binary
This page mirrors the output of barbacana --catalog list. Run that command against your installed binary to see exactly the catalog your build is enforcing — versions can drift if you don't upgrade in lockstep with these docs. barbacana --catalog show <leaf-name> prints a single leaf with its full rationale.
How to read this page¶
Protections are organized in three levels:
- L1 family (
sql,php,cross-site-scripting,response-headers, …) — the broadest disable. Turning offsqldisables every SQL-related leaf. - L2 bucket (
sql-injection,sql-data-leakage, …) — a sub-class. Turning offsql-injectiondisables all SQLi leaves but keeps DB-error masking active. - Leaf (
sql-injection-union-select, …) — a single detection technique. The most specific name and the one you'll typically reach for to silence a false positive.
Both disable: and enable: accept any level. More specific wins — a leaf in enable: re-enables itself even if its L2 or L1 is in disable:, and the reverse for a leaf in disable:.
The Default column is the out-of-the-box state. on leaves run on every request unless you disable them; off leaves are opt-in via enable:. The When to toggle column gives the per-leaf rationale: for on leaves it's "why disable" (legitimate inputs that would FP), and for off leaves it's "why enable" (the extra coverage you opt into).
Off-by-default leaves fall into two groups:
- Aggressive variants of an on-by-default detector (e.g.
sql-injection-always-true,command-injection-english-words) — they catch more attacks but produce false positives on natural-language input. - Response headers and HTTP-compliance checks that only make sense once tuned (
response-headers-add-csp,response-headers-add-coop,http-compliance-accept-header) — there's no value strict enough to matter that's safe to apply universally. See the security headers reference for how to enable each one.
sql¶
SQL-related protection: injection detection across all dialects plus per-vendor error-leakage detection.
L1-level disable: Safe to disable when your app has no SQL backend at all (e.g., NoSQL-only API, no DB).
sql-injection¶
Server-side SQL injection detection.
L2-level disable: Disable when you have a hosted DB-as-a-service that enforces queries server-side (Supabase, Hasura) and want to keep error masking active at L2 sql-data-leakage.
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
sql-injection-generic |
on | CWE-89 | 942100, 942101 | Generic SQLi detection via the libinjection tokenizer — recognizes SQL fingerprints across many dialects without per-dialect regex. | Disable only if generic detection produces FPs that more specific leaves don't cover. Rare. |
sql-injection-generic-aggressive |
off | CWE-89 | 942330, 942370, 942380, 942390, 942400, 942470, 942480, 942490 | Broad-stroke SQLi probe patterns supplementing the tokenizer. Aggressive variant of sql-injection-generic; same detection family, higher FP cost. | Enable for paranoid SQLi coverage on hardened environments where the tokenizer's coverage isn't enough. FP rates are non-trivial on free-text inputs — pair with route-level accepts: [text] to scope it. |
sql-injection-operators |
on | CWE-89 | 942120, 942250, 942251 | Detects SQL operator keywords in suspicious positions — MATCH AGAINST, HAVING, LIKE followed by single-char tokens. | Disable if SQL operator names (AND, OR, LIKE, MATCH, HAVING) appear legitimately in free-text inputs — for example, search queries against a literature corpus. |
sql-injection-function-calls |
on | CWE-89 | 942150, 942151, 942152, 942410 | Detects SQL function names in suspicious positions (CHAR(), CONVERT(), SUBSTRING(), vendor-specific helpers) used to avoid quote literals. | Disable if SQL function names appear legitimately in inputs — for example, a SQL-reference docs site. |
sql-injection-system-schema-names |
on | CWE-89 | 942140 | Detects reserved schema/database names in inputs (information_schema, pg_catalog, mysql.user) — fingerprint of reconnaissance probes. | Disable if your app legitimately echoes DB/schema names — for example, a DBA dashboard or SQL documentation site. |
sql-injection-sql-comments |
on | CWE-89 | 942440, 942500 | MySQL inline-comment markers and comment-sequence detection — used to bypass keyword filters by commenting out tokens mid-query. | Disable if input legitimately contains / / or # comment markers — for example, a SQL editor or comment-rich free text. |
sql-injection-comments-in-json |
off | CWE-89 | 942200 | Aggressive variant — fires on , "key":"... patterns common in multi-key JSON bodies. Detects real MySQL comment/space-obfuscation but blocks ordinary JSON when active. | Enable only on routes that don't accept JSON bodies with multiple keys, or in detect-only mode. FP-prone on ordinary multi-key JSON. |
sql-injection-backticks |
on | CWE-89 | 942510, 942511 | Backtick bypass — id-style identifier quoting used to evade simple regex filters. |
Disable if input legitimately contains backticks — for example, a Markdown editor or code-snippet tool. |
sql-injection-hex-encoded |
on | CWE-89 | 942450 | Hex-encoded SQLi payloads (0x5365…) — used to bypass quote/keyword filters by passing the payload as binary. | Disable if input legitimately contains long hex strings — for example, a binary-blob upload echoed back. |
sql-injection-string-concatenation |
on | CWE-89 | 942360, 942362 | Concatenated SQLi (CONCAT(), ||-style concatenation operators). | Disable if input legitimately contains SQL concat syntax — for example, a SQL playground. |
sql-injection-special-character-density |
off | CWE-89 | 942420, 942421, 942430, 942431, 942432, 942460 | Meta-character anomaly detection — flags args/cookies with abnormal density of SQL meta-characters. Strict thresholds at higher paranoia tiers. | Enable for paranoid coverage on locked-down routes where high density of SQL meta-characters in inputs is anomalous. |
sql-injection-time-based |
on | CWE-89 | 942160, 942170, 942280 | Time-based blind SQLi: sleep(), benchmark(), pg_sleep(), WAITFOR DELAY. The attacker can't see results so they exfiltrate via response timing. | Disable if upstream legitimately runs slow queries that mention timing functions — for example, a query-builder tool. |
sql-injection-always-true |
off | CWE-89 | 942130, 942131 | Boolean-based SQLi tautology detection (' OR '1'='1, 1=1, ' OR true). | Enable when broader tautology coverage matters and your inputs don't contain English or/and near digits or quotes. FP-prone on natural-language inputs. |
sql-injection-union-select |
on | CWE-89 | 942270, 942361 | Detects UNION SELECT and ALTER TABLE probe patterns. | Disable if input legitimately contains UNION/SELECT keywords — for example, a SQL-tutorial site. |
sql-injection-if-statements |
on | CWE-89 | 942230, 942300 | Conditional SQLi probes — IF(1=1, ...), CASE WHEN ..., comment-conditional injection. | Disable if input legitimately contains conditional SQL syntax — for example, a SQL editor preview. |
sql-injection-multiple-statements |
off | CWE-89 | 942210, 942310 | Chained SQLi — multiple statements separated by ;, used to append a DROP TABLE to a query. | Enable for hardened environments where multi-statement payloads (;-separated statements) warrant detection. |
sql-injection-query-closers |
on | CWE-89 | 942530 | Query-termination markers ('-- , ';--, ';#) — the classic SQLi closer that comments out the rest of the original query. | Disable if your app stores raw SQL queries — for example, a SQL playground or admin console. |
sql-injection-overflow-probes |
on | CWE-89 | 942220 | Detects integer-overflow probe values from skipfish-style fuzzers (2.2250738585072011e-308 and similar). | Rarely worth disabling. |
sql-injection-login-bypass |
on | CWE-89, CWE-287 | 942180, 942260, 942520, 942522, 942540 | Detects login-bypass SQLi patterns — ' UNION SELECT, split-query attacks, concat-bypass. | Disable if your auth flow legitimately accepts SQL-shaped strings. Extremely rare. |
sql-injection-quotes-in-text |
off | CWE-89, CWE-287 | 942521 | Aggressive variant — catches FP-prone auth-bypass shapes that fire on JSON values containing apostrophes. Detects real attacks but at significant FP cost. | Enable only on closed-corpus apps where input is API-shaped (no apostrophe-containing free text). FP-prone on names like "O'Brien" and product names like "d'or 1st". |
sql-injection-mssql-specific |
on | CWE-89 | 942190, 942240 | MSSQL-specific code execution patterns (xp_cmdshell, OPENROWSET, charset-switch DoS). | Disable if no MSSQL backend exists. |
sql-injection-stored-procedures |
on | CWE-89 | 942320, 942321, 942350 | Detects stored-procedure invocation patterns and MySQL UDF injection (CREATE FUNCTION lib_mysqludf_sys_exec). | Disable if you don't use MySQL/PostgreSQL stored procedures (or any at all). |
sql-injection-mongodb-operators |
on | CWE-943 | 942290 | MongoDB-style NoSQLi — {$ne: null}, {$gt: ""}, JSON-shaped operator injection. | Disable if no MongoDB backend exists or your driver uses parameterized queries. |
sql-injection-json-operators |
on | CWE-89 | 942550 | JSON-based SQLi — payloads exploiting JSON-aware query syntax in MySQL 5.7+ / PostgreSQL JSON operators. | Disable if your DB driver uses parameterized JSON arguments. |
sql-injection-scientific-notation |
on | CWE-89 | 942560 | Scientific-notation SQLi payloads exploiting MySQL's lax numeric parsing (1e0 parses to 1) to slip through filters that match decimal digits. | Rarely worth disabling. |
sql-data-leakage¶
Per-vendor SQL error leakage detection in responses. Each leaf catches that vendor's distinctive error format.
L2-level disable: Disable if your app already masks DB errors at the framework layer (no DB error ever reaches the response body).
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
sql-data-leakage-mssql |
on | CWE-209 | 951220 | MSSQL error patterns (Unclosed quotation mark, Microsoft OLE DB Provider, [SQL Server]). | Disable if no MSSQL backend exists. |
sql-data-leakage-msaccess |
on | CWE-209 | 951110 | Microsoft Access error patterns (Microsoft JET Database Engine, Syntax error in query expression). | Disable if no MS Access backend exists. |
sql-data-leakage-oracle |
on | CWE-209 | 951120 | Oracle error patterns (ORA-, PL/SQL, Oracle Database). | Disable if no Oracle backend exists. |
sql-data-leakage-db2 |
on | CWE-209 | 951130 | IBM DB2 error patterns (DB2 SQL error, SQLCODE=). | Disable if no DB2 backend exists. |
sql-data-leakage-informix |
on | CWE-209 | 951180 | Informix error patterns. | Disable if no Informix backend exists. |
sql-data-leakage-sybase |
on | CWE-209 | 951260 | Sybase error patterns. | Disable if no Sybase backend exists. |
sql-data-leakage-mysql |
on | CWE-209 | 951230 | MySQL error patterns (You have an error in your SQL syntax, mysql_fetch_array()). | Disable if no MySQL backend exists. |
sql-data-leakage-postgres |
on | CWE-209 | 951240 | PostgreSQL error patterns (ERROR: invalid input syntax, pg_query()). | Disable if no PostgreSQL backend exists. |
sql-data-leakage-sqlite |
on | CWE-209 | 951250 | SQLite error patterns (SQLite/JDBCDriver, near "...": syntax error). | Disable if no SQLite backend exists. |
sql-data-leakage-firebird |
on | CWE-209 | 951150 | Firebird error patterns. | Disable if no Firebird backend exists. |
sql-data-leakage-frontbase |
on | CWE-209 | 951160 | Frontbase error patterns. | Disable if no Frontbase backend exists. |
sql-data-leakage-hsqldb |
on | CWE-209 | 951170 | HSQLDB error patterns. | Disable if no HSQLDB backend exists. |
sql-data-leakage-ingres |
on | CWE-209 | 951190 | Ingres error patterns. | Disable if no Ingres backend exists. |
sql-data-leakage-interbase |
on | CWE-209 | 951200 | Interbase error patterns. | Disable if no Interbase backend exists. |
sql-data-leakage-maxdb |
on | CWE-209 | 951210 | MaxDB error patterns. | Disable if no MaxDB backend exists. |
sql-data-leakage-emc |
on | CWE-209 | 951140 | EMC SQL error patterns. | Disable if no EMC DB backend exists. |
php¶
PHP-specific attack and leakage detection.
L1-level disable: Safe to disable when your app stack has no PHP anywhere.
php-injection¶
Server-side PHP code-injection patterns — open tags, function-name calls, stream wrappers, object deserialization, variable abuse.
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
php-injection-open-tags |
on | CWE-94 | 933100, 933190 | Detects literal <?php, markers in inputs — the basic shape of an attempt to inject inline PHP for server-side evaluation. | Disable if your app legitimately accepts PHP source as content — for example, a PHP-snippet paste service or a CMS storing raw PHP. |
php-injection-script-upload |
on | CWE-434 | 933110, 933111, 933220 | Catches uploads whose filename or body indicates a PHP script. Also catches PHP session-file uploads — the classic "upload your shell" attack against insecure upload endpoints. | Disable if your app legitimately accepts uploaded .php/.phtml files — for example, a code-hosting service. |
php-injection-config-directives |
on | CWE-94 | 933120 | Detects php.ini-style directive names (allow_url_include, auto_prepend_file, etc.) in request arguments. | Disable if your app legitimately accepts php.ini-style configuration as input. Very rare. |
php-injection-superglobal-names |
on | CWE-94 | 933130, 933131, 933135 | Catches $_GET, $_POST, $GLOBALS, etc. being passed as input — used in attacks that try to override or read PHP-internal variables. | Disable if input legitimately includes PHP superglobal names as values — for example, a security-research tool or PHP documentation site. |
php-injection-stream-wrappers |
on | CWE-94, CWE-98 | 933140, 933200 | Detects PHP stream wrapper schemes (php://, phar://, expect://, data://) in inputs — used to bypass include/fopen filters and trigger code execution or arbitrary file reads. Includes phar:// deserialization patterns. | Disable if you legitimately reflect URI strings containing php://, data://, etc. into responses for documentation purposes. |
php-injection-dangerous-functions |
on | CWE-94, CWE-95 | 933150, 933160 | Detects high-risk PHP function names (eval, assert, system, exec, passthru, shell_exec, popen, proc_open) in request arguments. Strong RCE signal. | Disable if your app legitimately exposes PHP function names as data. Very rare; likely a docs site for PHP. |
php-injection-suspicious-functions-aggressive |
off | CWE-94 | 933151, 933152, 933153, 933161 | Medium-risk and low-value PHP function-name patterns (base64_decode, gzinflate, str_rot13, file-system helpers, low-value identifiers) in inputs. Aggressive variant of php-injection-dangerous-functions. | Enable in conjunction with php-injection-dangerous-functions if your app has no PHP backend and you want broader coverage. FP rate higher because function names overlap common English words; low-value patterns folded into the same aggressive variant. |
php-injection-serialized-objects |
on | CWE-502 | 933170 | Detects PHP-serialized object literals (O:5:"Class":3:{...}) in request inputs — the trigger pattern for unserialize-based RCE chains (PHPGGC). | Disable if your app legitimately accepts serialized PHP objects as input — for example, a debugger interface. |
php-injection-indirect-function-calls |
on | CWE-94 | 933180, 933210, 933211 | Catches indirect-call syntax $foo($bar) and variable-named function references — used in obfuscated PHP RCE payloads to evade static-name detectors. | Disable only if your app deliberately exposes PHP variable-function call syntax as data. |
php-data-leakage¶
PHP info / source disclosure detection in responses.
L2-level disable: Disable if your app already masks PHP errors at the framework layer (custom error pages, sentry-style sink).
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
php-data-leakage-version-info |
on | CWE-200 | 953100, 953101 | Detects PHP information-disclosure markers in responses (PHP Version, Loaded Configuration File, Server API, etc.) — the classic phpinfo() output. | Disable if your app intentionally exposes a phpinfo()-style endpoint. Debug builds only — never in production. |
php-data-leakage-source-code |
on | CWE-540 | 953110, 953120 | Detects PHP source-code patterns in response bodies — fires when a misconfigured server returns .php files as text instead of executing them. | Disable if your app legitimately echoes PHP source — for example, a code-hosting service or paste tool. |
java¶
Java-specific attack and leakage detection.
L1-level disable: Safe to disable when your app stack has no Java anywhere.
java-injection¶
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
java-injection-class-and-method-names |
on | CWE-94 | 944100, 944130, 944250, 944260 | Detects suspicious Java class names and method-invocation patterns in inputs (java.lang.Runtime, ProcessBuilder, URLClassLoader, getRuntime().exec()) — typical in OGNL/EL/Spring-style RCE payloads. | Disable if your app legitimately exposes Java class names or method-invocation patterns as data — for example, a JVM diagnostic tool. |
java-injection-struts2-runtime-exec |
on | CWE-78, CWE-94 | 944110 | Specifically targets the Struts2 process-spawn pattern from CVE-2017-9805 (XML payload triggers Runtime.exec). | Disable when you've ruled out Struts2 entirely. |
java-injection-serialized-objects |
on | CWE-502 | 944120, 944200, 944210, 944240 | Detects Java serialized-object magic bytes (AC ED 00 05) and base64-encoded variants — the trigger for ysoserial-style deserialization gadget chains (CVE-2015-4852 family). | Disable if your app legitimately accepts serialized Java objects — for example, a debugging or replication endpoint. |
java-injection-script-upload |
on | CWE-434 | 944140 | Catches JSP/JSPX script uploads — the classic "upload your webshell" attack against Tomcat-based stacks. | Disable if your app legitimately accepts uploaded .jsp/.jspx files — for example, an enterprise CMS for JSP authoring. |
java-injection-log4shell |
on | CWE-917 | 944150, 944151, 944152 | Log4Shell detection — matches ${jndi:ldap://...} / ${jndi:rmi://...} and obfuscated variants (${${::-j}ndi:...}). | Disable when you've fully migrated off vulnerable Log4j versions and want to reduce overhead. |
java-injection-base64-encoded-keywords |
off | CWE-94 | 944300 | Detects base64-encoded text whose decode hits a Java-suspicious keyword (java.lang., Runtime, ProcessBuilder). | Enable for hardened environments where suspicious base64 strings in inputs warrant detection. |
java-data-leakage¶
Java response-side error/stack-trace leakage.
L2-level disable: Disable if your app already masks Java errors at the framework layer (custom error pages, Spring's ResponseEntityExceptionHandler).
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
java-data-leakage-stack-trace |
on | CWE-209 | 952110 | Detects Java stack-trace markers in responses (java.lang.NullPointerException, at com.example…) — fires when an unhandled exception leaks to clients. | Disable if your app already masks Java errors at the framework layer — for example, custom error pages or Spring's ResponseEntityExceptionHandler. |
ruby¶
Ruby-specific attack and leakage detection.
L1-level disable: Safe to disable when your app stack has no Ruby anywhere.
ruby-injection¶
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
ruby-injection-system-calls |
on | CWE-78, CWE-94 | 934150 | Detects Ruby code-injection patterns in inputs — system(), eval(), IO.popen, ERB-style injection, backticks. | Disable if no Ruby runtime is involved at any layer. |
ruby-data-leakage¶
Ruby info / source disclosure detection in responses.
L2-level disable: Disable if your app already masks Ruby errors at the framework layer.
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
ruby-data-leakage-version-info |
on | CWE-200 | 956100 | Detects Ruby information-disclosure markers in responses (Ruby on Rails, RubyGems, version banners). | Disable if responses legitimately mention Ruby version banners. |
ruby-data-leakage-source-code |
off | CWE-540 | 956110 | Detects Ruby source-code patterns in response bodies — def/end blocks, class X < Y, require '...'. | Enable to detect raw Ruby source leakage when misconfigured servers serve .rb files as text. Off by default because patterns can match Ruby-discussion forum posts. |
perl¶
Perl-specific attack detection.
L1-level disable: Safe to disable when no Perl backend exists.
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
perl-injection-system-calls |
on | CWE-78, CWE-94 | 934140 | Detects Perl injection patterns in inputs — system, exec, qx{}, backticks, open() with shell-mode. | Disable if no Perl backend exists. |
iis¶
Microsoft IIS-specific response-side disclosure detection. The family currently has only leakage rules; the L2 bucket is named iis-data-leakage for symmetry with other language families and to leave room for future injection-side rules.
L1-level disable: Safe to disable when you don't run IIS anywhere.
iis-data-leakage¶
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
iis-data-leakage-install-paths |
on | CWE-200, CWE-540 | 954100, 954101 | Detects IIS install paths in responses (C:\inetpub\wwwroot\, C:\Windows\System32\inetsrv). | Disable if responses legitimately reference IIS paths. |
iis-data-leakage-availability-errors |
on | CWE-209 | 954110 | Detects IIS application-availability error messages (HTTP Error 500.0 - Internal Server Error). | Disable for non-IIS stacks. |
iis-data-leakage-version-headers |
on | CWE-200 | 954120, 954130 | Detects IIS information disclosure (X-AspNet-Version-style version banners in responses). | Disable for non-IIS stacks. |
javascript¶
JavaScript-runtime attack detection — covers Node.js, Bun, Deno, browser JS, anywhere eval happens.
L1-level disable: Safe to disable when your app is sandboxed/serverless with no JS runtime, or front-end-only.
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
javascript-injection-eval |
on | CWE-94, CWE-95 | 934100, 934101 | Detects JS code-injection patterns: eval(, new Function(, module.exports=, child_process, process.binding, require(...). | Disable if your app legitimately accepts JS source as input — for example, a JS sandbox or playground. |
javascript-infinite-loops |
on | CWE-400, CWE-1333 | 934160 | Detects JS infinite-loop ReDoS patterns: while(!0), while(1), while(true) constructs that always evaluate true. Universal across JS engines. | Rarely worth disabling. |
javascript-prototype-pollution |
on | CWE-1321 | 934130 | Detects proto and constructor.prototype in inputs — JS prototype-chain manipulation. Universal across Node, Bun, Deno, browser. | Disable if your app legitimately accepts proto-shaped JSON — for example, some legacy serialization formats. |
cross-site-scripting¶
XSS detection across all contexts and evasion techniques.
L1-level disable: Safe to disable when your service is API-only with no HTML rendering anywhere.
cross-site-scripting-html-context¶
XSS vectors in HTML output context — tags, event handlers, attributes, broader injection markers.
| ID | Default | CWE | Rule IDs | What it does | When to toggle |
|---|---|---|---|---|---|
cross-site-scripting-script-tags |
on | CWE-79 | 941100, 941101, 941110 | Detects
|