942310 regular suspected error #2118
Comments
|
Hi again @NiceYouKnow 👋 Thanks again for your very welcome issue! |
|
I searched all source files for The regexes that contain regexp-942400.data:\band\b\s+\d{1,10}\s*?[=<>] Rule 942400 is at PL2. We have to discuss if we want to extend the detection at PL1 or PL2 is enough... |
|
may have a problem, and I cannot understand the payload it can hit. |
|
Ok, I misunderstood your problem. 😀 I also don't know which payload was meant here with this regex: Some examples that probably don't make sense 😉 But so we can understand the pattern: Maybe someone with SQLi knowhow can help us? |
|
Do you know what payload should be detected with I tried to write some examples which probably don't make sense: Could you please help us here? |
|
Hi @franbuehler sorry for being late. Agree with you, It doesn't make sense to me too. If we're talking about SQL I doubt that |
|
Could somebody come up with a status update here? |
|
My idea is to remove this regularity because it doesn't make sense to me. I don't know what others think. thanks~ ^~^ |
|
Yes, in my opinion this regex can be removed from the source file and the regex can be regenerated for the rule 942400. |
|
Thank you @NiceYouKnow. A PR sounds like a decent plan, yes. |
|
@franbuehler, The modified rule should be 942310, not 942400, ^~^. I'll submit PR later. |
|
Thank you @NiceYouKnow. I co-assigned the issue to you too. |
|
I don't agree that we should remove it. We don't know what it does and it is different enough from the rest that it appears to be there on purpose (e.g. not just copy pasta). For example, why does the match require at least one space after the quotes? That seems very specific. Since we don't know what it does we open us up to an attack. Of course, I'm no SQL expert, it's conceivable that the expression contains an error that cripples the rule. I just want to be sure that we know what we are doing here. |
|
During our monthly issue chat meeting, we decided to first find out the intention behind this rule before removing it. |
|
We talked this through in our issue chat. In the end we are not really sure what this part of the regex is all about, but we are not 100% sure it's benign / an error. So we concluded we are going to ask @theMiddleBlue to take this to twitter and ask if any of the red teamers out there can come up with an example attacking payload that is being matched by the regex in https://regex101.com/r/olcs1Q/1? If we do not get any useful feedback, we will drop it and the PR by @NiceYouKnow is welcome. @theMiddleBlue can you help us here? If yes, please do your tweet and the CRS twitter will RT. |
|
This is a bit of a guess, but maybe it's helpful… The oldest comments I could find that are related to this regular expression gave some "Example Payloads Detected" which made use of compound assignment, e.g. That made me wonder if the |
https://twitter.com/AndreaTheMiddle/status/1427618583354413076?s=20 |
|
I looked up the relevant information and found nothing to match. |
|
Thank you guys. Retweeted with the coreruleset account. We'll see. |
|
OK, no responses to the tweet and nothing substantial to confirm the idea the regex is correct. Thank you for your alternative proposal @RedXanadu. So I guess it's time for your fix / PR @NiceYouKnow. Thank you for your support. |
|
I just spent some time with this too. The longer I look at it the more it seems to me that the expression contains at least one typo. For the expression to match there must be an engine accepting something like While the idea of compound operators sounded promising at first, I haven't been able to find any operator where the In conclusion, I think the odds of opening us up to an attack are slim (even if there were an exploit, it doesn't seem to be widely known) and I think we should remove the expression. Thanks @NiceYouKnow, these kinds of issues are so hard to find and we really need the support of CRS users to help us improve the quality of the rules. |
Describe the bug
There may be a problem with [\"'`]\s+and\s*?=\W in the 942310 rule. You can view this part in the /util/regexp-assemble/regexp-942310.data file. By analyzing the regularity, There can only be
\sbetween [\"'`] andand, and\wcannot be after and, such as" and =;, but I check related payloads such as:AND 1=1 AND '%'='Unable to be hit, more related payloads can refer to:https://github.com/payloadbox/sql-injection-payload-list ,
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ .
Maybe I didn’t find the corresponding detection payload, let’s take a look at it together~
Steps to reproduce
Expected behaviour
Actual behaviour
Additional context
Your Environment
CRS version v3.4/dev
The text was updated successfully, but these errors were encountered: