diff --git a/regex-assembly/942151.ra b/regex-assembly/942151.ra index 611a28a1e..d1dfd5015 100644 --- a/regex-assembly/942151.ra +++ b/regex-assembly/942151.ra @@ -3,4 +3,7 @@ ##!+ i -##!> include sql-injection-function-names +##!^ \b +##!$ \W*\( + +##!> include-except sql-injection-function-names sql-injection-function-names-fps-pl1 diff --git a/regex-assembly/942152.ra b/regex-assembly/942152.ra index 611a28a1e..850f5456c 100644 --- a/regex-assembly/942152.ra +++ b/regex-assembly/942152.ra @@ -3,4 +3,7 @@ ##!+ i +##!^ \b +##!$ \W*\( + ##!> include sql-injection-function-names diff --git a/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra new file mode 100644 index 000000000..f5a352ea7 --- /dev/null +++ b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra @@ -0,0 +1,16 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false positives +##! at paranoia level 1. + +convert +degrees +elt +left +likelihood +lower +position +quarter +space +unlikely diff --git a/regex-assembly/include/sql-injection-function-names.ra b/regex-assembly/include/sql-injection-function-names.ra index 91b47bf80..d5e367e8d 100644 --- a/regex-assembly/include/sql-injection-function-names.ra +++ b/regex-assembly/include/sql-injection-function-names.ra @@ -1,9 +1,6 @@ ##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regex_assembly/. -##!^ \b -##!$ \W*\( - adddate addtime aes_decrypt diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index b7f74adaa..b1be24652 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -107,7 +107,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942151 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ "id:942151,\ phase:2,\ block,\ diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml index cd940dd78..4a20df3e1 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml @@ -1,6 +1,6 @@ --- meta: - author: "Christian Folini, azurit" + author: "Christian Folini, azurit, Franziska Bühler" description: Various SQL injection tests rule_id: 942151 tests: @@ -17,7 +17,7 @@ tests: port: 80 uri: "/post" data: "var=foo'||(select extractvalue(xmltype('%tocob;" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -34,7 +34,7 @@ tests: port: 80 uri: "/post" data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -51,7 +51,7 @@ tests: port: 80 uri: "/post" data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -68,12 +68,12 @@ tests: port: 80 uri: "/post" data: "var=, FIND_IN_SET('22', Category )" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] - test_id: 5 - desc: "SQL injection using 'likelihood' function" + desc: "SQL injection using 'substring' function" stages: - input: dest_addr: 127.0.0.1 @@ -84,8 +84,8 @@ tests: method: POST port: 80 uri: "/post" - data: "email=1'%20%2B%201%20is%20likelihood(0.0%2C0.0)%20is%201--" - version: HTTP/1.0 + data: "email=%27%20AND%20SUBSTRING%28%28SELECT%20Password%20FROM%20Users%20WHERE%20Username%20%3D%20%27Administrator%27%29%2C%201%2C%201%29%20%3E%20%27m" + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -102,7 +102,7 @@ tests: port: 80 uri: "/post" data: "email=admin%40example.com'%20or%20sqlite_compileoption_used%20(id)--" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -119,7 +119,7 @@ tests: port: 80 uri: "/post" data: "email=admin%40example.com'and%20not%20sqlite_compileoption_get%20(id)--" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -135,7 +135,7 @@ tests: method: GET port: 80 uri: "/get/index.php?id=starts_with(password,'a')::int" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -151,7 +151,7 @@ tests: method: GET port: 80 uri: "/get/index.php?id=jsonb_pretty(...(1,password)::jsonb)::int" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -167,7 +167,7 @@ tests: method: GET port: 80 uri: "/get/index.php?id=...(json_build_object(1,password)::jsonb)::int" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] @@ -183,7 +183,194 @@ tests: method: GET port: 80 uri: "/get/index.php?id=unistr(password)::int" - version: HTTP/1.0 + version: HTTP/1.1 output: log: expect_ids: [942151] + - test_id: 12 + desc: "False positive with elt (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=Weitere überlieferte Bezeichnungen sind Harsle (1319), Crucesignati in Herslo (1475) und Haßelt (1599)." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 13 + desc: "False positive with left (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=Left (WA, RR), following wood edge south (‘Restrictive Byway’/RB) for ½ mile to Pangfield Farm (564719)." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 14 + desc: "False positive with quarter (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=One quarter (24%) of people have had an affair and cheated on a partner at some point in their lives, according to results released today." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 15 + desc: "False positive with space (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=You can choose between front up to maximise space (ideal for art and drawing), left up (for right handed users) and right up (for left handed users)." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 16 + desc: "False positive with likelihood (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: 'payload=A maximum of the likelihood function occurs at the same parameter-value as a maximum of the logarithm of the likelihood (the "log likelihood"), because the logarithm is an increasing function.' + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 17 + desc: "False positive with lower (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=Below the rank of species he sometimes recognized taxa of a lower (unnamed) rank ; these have since acquired standardised names such as variety in botany and subspecies in zoology." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 18 + desc: "False positive with convert (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=Grasshopper v1.0 made its eighth, and final, test flight on October 7, 2013, flying to an altitude of convert (0.46 miles) before making its eighth successful VTVL landing." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 19 + desc: "False positive with position (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=In older texts printed down to c. 1630, v was used in initial position (even when it represented a vowel, e.g. in vt, later printed ut) and u was used elsewhere, e.g. in nouus, later printed novus." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 20 + desc: "False positive with degrees (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=The measures of the interior angles of the triangle always add up to 180 degrees (same color to point out they are equal)." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 21 + desc: "False positive with unlikely (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=There are numerous causes of asystole that may be reversible if determined quickly enough, however, survival is very unlikely (~2% if not in a hospital)." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151] + - test_id: 22 + desc: "False positive with left, (" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "payload=The script is written from right to left, (Lal 1966) and sometimes follows a boustrophedonic style." + version: HTTP/1.1 + output: + log: + no_expect_ids: [942151]