Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SecRuleUpdateTargetByTag modify SQL Injection rule doesn't work.

See original GitHub issue

Description

Hello!

We added the following custom mod security rules to whm cpanel.

SecRuleUpdateTargetByTag 'OWASP_CRS/WEB_ATTACK/SQL_INJECTION' REQUEST_BODY

From documentation the rule above search for the rules with tag OWASP_CRS/WEB_ATTACK/SQL_INJECTION and it will append to it on VARIABLES the REQUEST_BODY. So it will append the REQUEST_BODY to https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf like |REQUEST_BODY in this way the rule will look in the raw body part, finds the sql and blocks the request.

SecRule REQUEST_BODY "@detectSQLi" \
    "id:101010,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\
    msg:'SQL Injection Attack Detected via libinjection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    multiMatch,\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"

The should second rule blocks the request on body parsing when in the data-row the sql is injected.

After adding each custom rule we test it using this curl:

curl 'https://****.com/request' \

  -H 'authority: [test.com](http://test.com/)' \

  -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \

  -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' \

  -H 'cache-control: max-age=0' \

  -H 'content-type: application/x-www-form-urlencoded' \

  -H 'cookie: test' \

  -H 'origin: https://test.com/' \

  -H 'referer: https://test.com/request' \

  -H 'sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"' \

  -H 'sec-ch-ua-mobile: ?0' \

  -H 'sec-ch-ua-platform: "macOS"' \

  -H 'sec-fetch-dest: document' \

  -H 'sec-fetch-mode: navigate' \

  -H 'sec-fetch-site: same-origin' \

  -H 'sec-fetch-user: ?1' \

  -H 'upgrade-insecure-requests: 1' \

  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/[105.0.0.0](http://105.0.0.0/) Safari/537.36' \

  --data-raw 'var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --' \

[This is from the documentation used by the library for testing: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml#L242 The mod security with owasp works as expected on args from url/cookies but not on body. To understand it better the body didn’t need parsing as based on the owasp documentation we know that if the content-type header is containing urlencoded (you can see in the request) then the rule can look over the body and of --data-raw without parsing.

Unfortunately the rules didn’t block the request. Based on this please let us know why it’s not working as expected.

Your Environment

CRS version (e.g., v3.2.0): Come back with the version
Paranoia level setting: Come back with the level
ModSecurity version (e.g., 2.9.3): Come back with the version
Web Server and version (e.g., apache 2.4.41): apache 2
Operating System and version: linux

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created a year ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

airweencommented, Sep 11, 2022

Hi @seanScoompy,

based on your report I assume you use OWASP CRS 3.2. This version contains the mentioned tag by rules 942NNN.

I also added your rule 101010 above, and added SecRuleTargetByTag directive too, before the rules.

Then I sent this request:

$ cat 2775.txt 
var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --

$ curl -v -X POST -d @2775.txt -H "Content-Type: application/x-www-form-urlencoded" "http://localhost/dump.php"

After that, I got these results:

[Sun Sep 11 21:30:38.471171 2022] [:error] [pid 49182] [client ::1:37786] [client ::1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's)&(E' [file "/home/airween/src/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"] [line "338"] [id "101010"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s)&(E found within REQUEST_BODY: var=\\x5c\\x22unittests@coreruleset.org\\x5c\\x22')) and (select*from(select(sleep(5)))x) --"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/dump.php"] [unique_id "Yx43Xq-AsGPxApfU9oyTXQAAAAA"]

[Sun Sep 11 21:30:38.481366 2022] [:error] [pid 49182] [client ::1:37786] [client ::1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's)&(E' [file "/home/airween/src/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "67"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s)&(E found within ARGS:var: \\x5c\\x22unittests@coreruleset.org\\x5c\\x22')) and (select*from(select(sleep(5)))x) --"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/dump.php"] [unique_id "Yx43Xq-AsGPxApfU9oyTXQAAAAA"]

[Sun Sep 11 21:30:38.481571 2022] [:error] [pid 49182] [client ::1:37786] [client ::1] ModSecurity: Warning. Pattern match "(?i:sleep\\\\(\\\\s*?\\\\d*?\\\\s*?\\\\)|benchmark\\\\(.*?\\\\,.*?\\\\))" at ARGS:var. [file "/home/airween/src/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "128"] [id "942160"] [msg "Detects blind sqli tests using sleep() or benchmark()."] [data "Matched Data: sleep(5) found within ARGS:var: \\x5c\\x22unittests@coreruleset.org\\x5c\\x22')) and (select*from(select(sleep(5)))x) --"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "localhost"] [uri "/dump.php"] [unique_id "Yx43Xq-AsGPxApfU9oyTXQAAAAA"]

I think this is what you expect. Your rule triggered with REQUEST_BODY.

...[id "101010"] ... [data "Matched Data: s)&(E found within REQUEST_BODY: var=\\x5c\\x22unittests@coreruleset.org\\x5c\\x22')) and (select*from(select(sleep(5)))x) --"]

Please check your config again, and make sure, the SecRuleUpdateTargetByTag is before any rules.

1reaction

airweencommented, Sep 11, 2022

Hi @seanScoompy,

Thanks for reporting.

It would be nice to see yor logs after added te modification above, eg. which other rule triggered.

Top Results From Across the Web

False Positives and Tuning :: Core Rule Set Documentation

When a genuine transaction causes a rule from the Core Rule Set to match in error it is described as a false positive....

Handling False Positives with the OWASP ... - netnea

Afterwards, I published a couple of articles about SQL injections and then ... of the way: Doesn't disabling rules actually lower the security...

[Owasp-modsecurity-core-rule-set] Remove Cookie inspection ...

[Owasp-modsecurity-core-rule-set] Remove Cookie inspection for SQL injection ... And using the Anomaly scoring method I couldn't work out how to update

piwik and CRS v3 · Issue #388 · SpiderLabs/owasp ... - GitHub

942370: Detects classic SQL injection probings 2/2 ... What I don't understand is why it doesn't work when I try this (for the...

Submit form forbidden when Enabling modsecurity crs sql ...

... totally secure site that doesn't work isn't that useful, and some modificiations of the CRS (and in particular the SQL Injection rules) ......