HEX
Server: nginx/1.28.0
System: Linux w3c-2 6.8.0-78-generic #78-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 12 11:34:18 UTC 2025 x86_64
User: inpa_co_1 (1082)
PHP: 8.3.29
Disabled: NONE
$ pwd: /etc/modsecurity.d/owasp/regex-assembly/
Upload Files
File: //etc/modsecurity.d/owasp/regex-assembly/944240.ra
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Rule 944240: Java serialization RCE (CVE-2015-4852) - PL2
##!
##! Detects Java deserialization class/method names commonly abused
##! in remote code execution attacks via Apache Commons Collections
##! and related libraries.
##! Same pattern as 944120 (PL1) but without the chained magic bytes check.
##!
##! Note: This rule uses t:lowercase transformation, so all patterns
##! are in lowercase.

##! Apache Commons Collections gadget classes
clonetransformer
forclosure
instantiatefactory
instantiatetransformer
invokertransformer
prototypeclonefactory
prototypeserializationfactory
whileclosure

##! Java property/IO classes used in exploitation chains
getproperty
filewriter

##! XML deserialization
xmldecoder
@ Telegram