Description
Description
Hello,
I'm facing some false positive issue with rule id 942440 (Detect SQL Comment Sequences).
If the value is a domain name converted into Punycode (IDNA encoding), the regular expression is matching it as a SQL comment sequences.
Eg, if the value is "Bücher.example" it is converted into "xn--bcher-kva.example". Typically in email addresses.
Information about IDNA encoding can be found here:
https://en.wikipedia.org/wiki/Internationalized_domain_name#Example_of_IDNA_encoding
How to reproduce the misbehavior
curl -H "X-Format-Output: txt-matched-rules" -H "x-crs-paranoia-level: 2" https://sandbox.coreruleset.org/?domain=xn--bcher-kva.example
Logs
942440 PL2 SQL Comment Sequence Detected
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=5, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
Your Environment
- Azure Application Gateway
- Web Application Firewall
- Tier: WAF V2
- WAF status: Enabled
- WAF mode: Prevention
- Rule set: OWASP 3.2
- Advance rule configuration: Disabled
- Web Application Firewall
Confirmation
- I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.