Classic SQL injection probing rule split 942370 #884
Comments
This was referenced May 13, 2020
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Issue for tracking original pull request created by user emphazer on date 2017-09-14 06:40:54.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#884.
HEAD is: 764e20669a2c8246e2885abed9e5041cb934fb2b
BASE is: babbbf2
Rule 942370 has led to many false positives on a recent implementation of a CMS. Here is an extract of the POST request body that matched;
This kind of payload is not out of the ordinary for certain CMS.
The only part that actually matched is
";}2c0. It was only matched by a small portion of the regular expression, which is completely seperated from the rest of the regexp by an OR-operator.This separation means that said part of the expression acts like a completely separate rule. That rule seems to be very sensitive. It only requires a quotation mark followed by a special character, then two random numbers that may be separated, for example
"#22would match. This seems to be too strict to include in PL2. Because of its sensitivity seems to be a perfect addition to rule 942460 , which is in PL3 and matches any four special characters in sequence.Therefore, I would suggest splitting the rule in two and moving this sensitive part to PL3.
The text was updated successfully, but these errors were encountered: