8000 FP 942100 MySQLi rule triggered? · Issue #1711 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

FP 942100 MySQLi rule triggered? #1711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
CRS-migration-bot opened this issue May 13, 2020 · 4 comments
Closed

FP 942100 MySQLi rule triggered? #1711

CRS-migration-bot opened this issue May 13, 2020 · 4 comments
Labels
➕ False Positive libinjection

Comments

@CRS-migration-bot
Copy link

Issue originally created by user jeremyjpj0916 on date 2020-03-05 06:56:17.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1711.

Description

I am guessing this fires on just some keywords to trip a MySQLi?

Audit Logs / Triggered Rule Numbers

---XdNJFxoh---B--
POST /F5/status HTTP/1.1
content-length: 212
accept-encoding: gzip, deflate
Host: gateway-dev.company.com
Accept: */*
Postman-Token: 44007447-9226-4bf1-8c65-fe5e9febc882
cache-control: no-cache
User-Agent: PostmanRuntime/7.6.1
Connection: keep-alive
Content-Type: application/json

---XdNJFxoh---C--
{
        "address": [
          {
            "addr1": "2104 GRANT AVE #A",
            "addr2": "",
            "addr3": "",
            "city": "",
            "state": "",
            "zip": "",
            "county": "",
            "countryCode": " ",
            "type": ""
          }
        ]
}

---XdNJFxoh---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1knc found within ARGS:json.address.array_0.addr1: 2104 GRANT AVE #A"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/F5/status"] [unique_id "158339080551.721980"] [ref "v27,17"]

Linked my issue w dependency here: client9/libinjection#149

Your Environment

  • CRS version (e.g., v3.2.0): 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
@CRS-migration-bot
Copy link
Author

User dune73 commented on date 2020-03-05 08:17:11:

Confirm. I can trigger this on 942100 as follows:

$> curl localhost -d "foo=2104 GRANT AVE #A"

@CRS-migration-bot
Copy link
Author

User jeremyjpj0916 commented on date 2020-03-06 07:48:44:

UNION AVE on the other hand did not match a fingerprint. GRANT AVE citizens get rekt I suppose.

@CRS-migration-bot
Copy link
Author

User jeremyjpj0916 commented on date 2020-04-30 19:41:18:

dune73 another one strikes again!

[id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nok1o found within ARGS:json.billingPreferenceList.array_0.billingPrefSourceInfo.billingPreferenceDescription: CLOSED - OPTION 1 / OPTION 3"]

Not sure what a nok1o is but it reminds me of the word Tokyo for some reason.

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
@franbuehler franbuehler mentioned this issue Jun 1, 2020
Closed
@franbuehler
Copy link
Contributor
franbuehler commented Jun 2, 2020
edited
Loading

This is an libinjecton thing. So we can probably close it.
The problem has been reported to the libinjection developers.
#1779 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➕ False Positive libinjection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@franbuehler @CRS-migration-bot
0