From 06cf9ab3cf959c2bf723fe31efa0fd405fc012f0 Mon Sep 17 00:00:00 2001
From: gauravakto <gaurav@akto.io>
Date: Sat, 19 Jul 2025 19:18:33 +0530
Subject: [PATCH] Update LocalFileInclusion.yml

---
 Threat-Protection/LocalFileInclusion.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Threat-Protection/LocalFileInclusion.yml b/Threat-Protection/LocalFileInclusion.yml
index 5192a62a..b3df107e 100644
--- a/Threat-Protection/LocalFileInclusion.yml
+++ b/Threat-Protection/LocalFileInclusion.yml
@@ -3,13 +3,13 @@ filter:
   or:
     - request_payload:
         regex:
-          - (?i)(?:^|[^a-zA-Z0-9])(?:(?:\.\.(?:/|\\|%2F|%5C))+\.?|(?:/|\\|%2F|%5C)(?:etc/passwd|proc/self/environ|windows/system\.ini)|php://(?:filter|input)|(?:/|\\|%2F|%5C)\w+\.(?:php|conf|ini|log)(?:%00)?)(?:$|[^a-zA-Z0-9])
+          - (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])
     - request_headers:
         regex:
-          - (?i)(?:^|[^a-zA-Z0-9])(?:(?:\.\.(?:/|\\|%2F|%5C))+\.?|(?:/|\\|%2F|%5C)(?:etc/passwd|proc/self/environ|windows/system\.ini)|php://(?:filter|input)|(?:/|\\|%2F|%5C)\w+\.(?:php|conf|ini|log)(?:%00)?)(?:$|[^a-zA-Z0-9])
+          - (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])
     - url:
         regex:
-          - (?i)(?:^|[^a-zA-Z0-9])(?:(?:\.\.(?:/|\\|%2F|%5C))+\.?|(?:/|\\|%2F|%5C)(?:etc/passwd|proc/self/environ|windows/system\.ini)|php://(?:filter|input)|(?:/|\\|%2F|%5C)\w+\.(?:php|conf|ini|log)(?:%00)?)(?:$|[^a-zA-Z0-9])
+          - (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])
 
 info:
   name: "LocalFileInclusionRFI"