coreruleset · dune73 · Sep 4, 2023 · Sep 1, 2023
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1335,6 +1335,14 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
 # 0/**/union/*!50000select*/table_name`foo`/**/
 # -------------------------
 #
+# The chained rule is designed to prevent false positives by specifically
+# targeting JWT tokens. Starting with 'ey' targets JWT tokens, where the 'ey'
+# prefix corresponds to the beginning of the Base64-encoded header section.
+#
+# example:
+# $ echo '{"' | base64
+# eyIK
+#
 # Regular expression generated from regex-assembly/942440.ra.
 # To update the regular expression run the following shell script
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
@@ -1359,7 +1367,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     ver:'OWASP_CRS/4.0.0-rc1',\
     severity:'CRITICAL',\
     chain"
-    SecRule MATCHED_VARS "!@rx ^ey[A-Z-a-z0-9-_]+[.]ey[A-Z-a-z0-9-_]+[.][A-Z-a-z0-9-_]+$" \
+    SecRule MATCHED_VARS "!@rx ^ey[a-zA-Z0-9_-]+[.]ey[a-zA-Z0-9_-]+[.][a-zA-Z0-9_-]+$" \
         "t:none,\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"