8000 Improved version of #2568 by terjanq · Pull Request #2603 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Improved version of #2568 #2603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jun 10, 2022
Merged

Improved version of #2568 #2603

merged 13 commits into from
Jun 10, 2022

Conversation

terjanq
Copy link
Contributor
@terjanq terjanq commented May 26, 2022
edited
Loading

This is experiment PR to improve false-positive rate in #2568. The rule is split into 3 parts:

#942520 - blocks SQL Auth bypasses with expressions resulting in low-false-positive rates.
#942521 - adds expressions for detecting (and|or) preceded with an odd number of quotes.
#942522 - adds an expression for detecting bypass to #942521 with escaped quotes.

PL2 942520

The below expressions were proved to yield very little false-positives.

##! All tests below are prefixed with [\"'`]\s*?

is\s+not\b
##! all sqlite not smth from https://www.sqlite.org/lang_expr.html
not\s+(?:like|glob|between|null|in|regexp|match)\b
##! sql operators
[|&<>*\/%=^+-]
##! common operators that can't be added to 942120.data
(?:mod|div)\b
sounds\s+like\b

PL2 942521

This is a quite expensive regular expression for detecting odd number of quotes. It uses the principal of b*a*(b*a*b*a*)* which is a formal definition of odd number of a's. It's a chained rule that will only capture the first word after the odd number of quotes and then check if it's (and|or). This rule doesn't cause ReDos, but it might be quite expensive as test server sometimes times out for the input ".'"*9800+"or". I added two smaller performance tests (~1k quotes). It should take linearly many steps in regards to number of input characters. link.

This only should be an expensive expression for malicious payloads with lots of quotes

^[^']*?(?:'[^']*?'[^']*?)*?'\s*(\w+)\b
^[^"]*?(?:"[^"]*?"[^"]*?)*?"\s*(\w+)\b
^[^`]*?(?:`[^`]*?`[^`]*?)*?`\s*(\w+)\b

PL2 942522

This rule is quite simple. It will detect if there is any sequence of escaped quote (\') followed by '?(and|or). Without this rule #942521 could be easilly bypassed

"@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"

@lifeforms

8000

@lifeforms lifeforms mentioned this pull request Jun 4, 2022
Merged
@fzipi fzipi mentioned this pull request Jun 5, 2022
Closed
@lifeforms
Copy link
Member

This is looking great, thank you! :)

@lifeforms lifeforms merged commit 85e2a01 into coreruleset:v4.0/dev Jun 10, 2022
@dune73 dune73 mentioned this pull request Jul 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@terjanq @lifeforms @theseion
0