FP dotnet asp.net entity framework id 942440
See original GitHub issueDescription
When using the dotnet asp.net entity framework, it provides the user browser with an identity cookie. This identity cookie has a ‘–’ character in it and the cookie is dynamic, hence it changes value. This is a false positive recognized as SQL injection.
Documentation link: https://docs.aspnetzero.com/en/common/v8.0.0/Security-Report-Core#sql-injection
Audit Logs / Triggered Rule Numbers
The HTTP request:
GET / HTTP/1.1
Cache-Control: max-age=0
Connection: close
Accept: text/html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8
Cookie: ConsentCookie=yes; IdentityCookie=CfDJ8BGSX_N7N4dKqDpBB_gwolQ28ikQ14XrfTQhyRFBF5oz_ZTQGCvlJ9qpKRbw4it3EyIwb7qiU7wOiG4gezsXXzh6Y_118q60U-xy02q-HHI_9Dgk4iqfHlV3LtCk7Vo-CM-uPJ9vGnIETLbjIrFx2FMSrmCXgNyKGWVM8-Jr2Ln-OBGailaFcOmP4Bif8--pYtOKfhaL3zbi54A1PZa_t6l8Dh42gNE98vEt4Gv5jY88Kpawll0QZ7kwcuKYYYSjfHXKBlak4FYLzGYK69qjpjdjFqDRnTs9Yf9a9aTPSfXir4H5pJ5SjA1zJCoEmvaTlpibkpj4vJ4Zmx90B7YeHQtiGjvF83hRf3fxASWaK3gHoWqsnlaiuOmeAjC64MPIjFGm_25IpjyDENyZzY3JcZ3XpOThFBKbgTsk5lrrdL8qWwbLYFNA-FIElH-VLlG995u_ngZi6ijLSq_1obicrwkzRlo1hduvVmQ6TloTTBwaLDBXii1leAzK9vhsNs0h0rcL3PhjsVEFQyyt4cVCPlHdHOdjL4xeuLUi3f4Di-85eOp8yXc0i2yRZyJvjsTA8jqa1sQqcZBsNz7V2RTTrsf2beNXAbRPkjjm1amgcBB9ItDrYWehBxSCMhCkIERa_PCdKVqdOzSwonN4cZqxz-5BkCjdNCXXSF6XIhilFKJZ2PqHCPh-lP7H73gi71GS-Q0acmKJ9uoAN7RIRJKtdatuYDHAEq_wthxX7f_2A1JvF5JhtEwseR72Wyuwp09XxI0HZRDrPXwR3e0yHkrDmzKrz_wayv4NFf3bz_gKiKlYFIgK_OfCqE51DH37SrODr5USIe7oVE6GSsDUf43cnWnqx6KYUVS4A0-c0mWm9MTdmpisLfH7QxQOvXuNA6XlHiAt8_XVA6CmInkt0tbxrAIYhLwrf1sAvbO35oZuyd2uF0wZf1Drksq9HXrb34a_0r_6s_W8mXihzXd9wi1YHoDUF8GdaFWTZxt0Gfioc_GPxt3fiKm60-NmwHBAl0FTkw1BRhVRzTP3e-GbIUwa-aeDIi2vCkfzTnsTr5PKl51TPa2BRcRBWS7SjKTNOw44AA
sec-ch-ua-platform: "Windows"
The CSR log:
Message: Access denied with code 403 (phase 2). Pattern match "(?:/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|--[^-]*?-|[^&-]#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at REQUEST_COOKIES:IdentityCookie. [file "D:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1207"] [id "942440"] [msg "SQL Comment Sequence Detected"] [data "Matched Data: --pYtOKfhaL3zbi54A1PZa_t6l8Dh42gNE98vEt4Gv5jY88Kpawll0QZ7kwcuKYYYSjfHXKBlak4FYLzGYK69qjpjdjFqDRnTs9Yf9a9aTPSfXir4H5pJ5SjA1zJCoEmvaTlpibkpj4vJ4Zmx90B7YeHQtiGjvF83hRf3fxASWaK3gHoWqsnlaiuOmeAjC64MPIjFGm_25IpjyDENyZzY3JcZ3XpOThFBKbgTsk5lrrdL8qWwbLYFNA- found within REQUEST_COOKIES:IdentityCookie: CfDJ8BGSX_N7N4dKqDpBB_gwolQ28ikQ14XrfTQhyRFBF5oz_ZTQGCvlJ9qpKRbw4it3EyIwb7qiU7wOiG4gezsXXzh6Y_118q60U-xy02q-HHI_9Dgk4iqfHlV3LtCk7Vo-CM-uPJ9vGnIETLbjIrFx2FMSrmCXgNyKGWVM8-Jr2Ln-OBGailaFcOmP4Bif8--pYtOKf..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1644237045888241 0 (- - -)
Stopwatch2: 1644237045888241 0; combined=0, p1=0, p2=0, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
Triggered CSR rule number: 942440
Your Environment
- OWASP ModSecurity Core Rule Set ver.3.3.0
- ModSec 2.9.4
- Webserver: IIS 10.0.17763.1
- OS : Windows Server 2019
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
FP dotnet asp.net entity framework id 942440 - Issues Antenna
Description. When using the dotnet asp.net entity framework, it provides the user browser with an identity cookie. This identity cookie has ...
Read more >Razor Pages with Entity Framework Core in ASP.NET Core
This is the first in a series of tutorials that show how to use Entity Framework (EF) Core in an ASP.NET Core Razor...
Read more >Get Record ID in Entity Framework after insert - Stack Overflow
I'm using DetailsView with EntityDataSource and binding EntityDataSource directly with Entity Model, so I'm not creating objects to insert data.
Read more >How to get an id of a saved entity in Entity Framework?
EF execute each INSERT command followed by SELECT scope_identity() statement. SCOPE_IDENTITY returns the last identity value inserted into an identity column in ...
Read more >Tutorial: Using Entity Framework Core as an In-Memory ...
Rapidly prototype and test new ideas for your REST API with Entity Framework Core as your ASP.NET Core in-memory database.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thank you very much for the great explanation @RedXanadu, I understand it better now.
I don’t think this is something that can be “fixed” in the original rule.
Rule 942440 is looking for bypass attempts using SQL comments, which can look
--like this
. If you have cookies containing random base64url encoded content then eventually you will cause a rule like 942440 to match, with content like--abcdef-
Rule exclusions are a fact of life. To properly tune a ModSecurity + CRS-based WAF then rule exclusions are almost always required in some fashion. The trick is to be as restrictive as possible: only exclude specific parameters from specific rules and for specific locations, where appropriate. (You could even test parameters before excluding them, in some scenarios, too: “Is this parameter the length we expect it to be?” etc.)
The problem with a bad cookie (one that causes CRS rules to match in error) is that it will probably be sent with every request for every location from the client with that bad cookie. This means restricting a rule exclusion to a specific location isn’t possible: the bad cookie can turn up anywhere on the web application/site. This leaves us with the possibility of excluding the specific cookie in question (
IdentityCookie
, in this case) from the specific rule in question (rule 942440). This is a reasonable compromise to make, if the alternative is that a random selection of clients unlucky enough to get a “bad random cookie” find themselves being blocked and have a poor user experience (or worse, it causes pressure to switch off or remove the WAF completely: a WAF with exclusions in place is better than a WAF that’s been disabled).The alternative would be to disable rule 942440 in its entirety (i.e.
SecRuleRemoveById 942440
), which would definitely work, but would be an unacceptable sacrifice of security, in my opinion. To use such a directive would be an overreaction, at the very least.