Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SQLi id:942100, false positive on combination of two chars

See original GitHub issue

_Issue originally created by user landergate on date 2017-06-05 21:24:18. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/794._

Any thought on why two cyrillic symbols “ор” could trigger this rule? It happens in different conditions near other symbols, but could not happen at all with other symbols.

And what would be the best approach without omitting rules at all?

login=Игорь

It’s a legit cyrillic first name, pronounced as “Igor”.

--5b64322c-C--
login=%D0%98%D0%B3%D0%BE%D1%80%D1%8C&password=anyatall&ga_code=&ajax=1
--5b64322c-F--
HTTP/1.1 403 Forbidden
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1

--5b64322c-E--

--5b64322c-H--
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: \x183>**L**"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: \x183>**L**"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1496644942566002 7540 (- - -)
Stopwatch2: 1496644942566002 7540; combined=6861, p1=334, p2=6523, p3=0, p4=0, p5=4, sr=39, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

--5b64322c-Z--

login=дор

Just experimenting with “ор” combination.

--16fcc269-C--
login=%D0%B4%D0%BE%D1%80&password=anyatall&ga_code=&ajax=1
--16fcc269-F--
HTTP/1.1 403 Forbidden
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1

--16fcc269-E--

--16fcc269-H--
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 4>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 4>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1496645017148596 7412 (- - -)
Stopwatch2: 1496645017148596 7412; combined=6783, p1=344, p2=6434, p3=0, p4=0, p5=4, sr=39, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

--16fcc269-Z--

login=ббббббор

--f8b1cd4c-C--
login=%D0%B1%D0%B1%D0%B1%D0%B1%D0%B1%D0%B1%D0%BE%D1%80&password=anyatall&ga_code=&ajax=1
--f8b1cd4c-F--
HTTP/1.1 403 Forbidden
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1

--f8b1cd4c-E--

--f8b1cd4c-H--
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 111111>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 111111>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1496697502659417 7008 (- - -)
Stopwatch2: 1496697502659417 7008; combined=6410, p1=273, p2=6132, p3=0, p4=0, p5=5, sr=38, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

--f8b1cd4c-Z--

login=Симафор

Not triggering

Issue Analytics

State:
Created 3 years ago
Comments:23

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2020-03-04 08:06:21:

Decision during the CRS project chat on March 2, 2020: dune73 will get in touch with the libinjection project to try and get things moving again.

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1683#issuecomment-593584538

1reaction

CRS-migration-botcommented, May 13, 2020

User AirisX commented on date 2019-05-29 14:41:12:

Some words about CP1251 mapping.

Unicode table contains a special range for Cyrillic characters. This is 0400 - 04FF (https://unicode-table.com/en/blocks/cyrillic/). They are used in many languages, the writing of which is based on them. But as for the Russian language, this range is much narrower: 0410 - 044F and two characters outside this range are 0401 (letter “Ё”) and 0451 (small letter “ё”). Thus, I think the correct filling of CP1251 mapping looks like this:

0410:c0 0411:c1 0412:c2 0413:c3 0414:c4 0415:c5 0416:c6 0417:c7 0418:c8 0419:c9 041a:ca 041b:cb 041c:cc 041d:cd 041e:ce 041f:cf 0420:d0 0421:d1 0422:d2 0423:d3 0424:d4 0425:d5 0426:d6 0427:d7 0428:d8 0429:d9 042a:da 042b:db 042c:dc 042d:dd 042e:de 042f:df 0430:e0 0431:e1 0432:e2 0433:e3 0434:e4 0435:e5 0436:e6 0437:e7 0438:e8 0439:e9 043a:ea 043b:eb 043c:ec 043d:ed 043e:ee 043f:ef 0440:f0 0441:f1 0442:f2 0443:f3 0444:f4 0445:f5 0446:f6 0447:f7 0448:f8 0449:f9 044a:fa 044b:fb 044c:fc 044d:fd 044e:fe 044f:ff 0401:a8 0451:b8

Using this mapping for payload with russian characters will not lead to a false positive in example with “Игорь”.

But code page 1251 also contains characters of the Ukrainian, Bulgarian and Belarusian alphabets. Such as ї, Ї, і, І and so on (see http://ascii-table.com/codepage.php?1251). They also need to be added to the mapping.

Top Results From Across the Web

SQLi id:942100, false positive on combination of two chars #794

Any thought on why two cyrillic symbols "ор" could trigger this rule? It happens in different conditions near other symbols, but could not ......

False Positive Mitigation for SQL Injection signatures

1. Go to Web Protection > Known Attacks > Signatures. 2. Select the signature policy to open the edit panel.

Handling False Positives with the OWASP ModSecurity Core ...

So, I went and created false positives from scratch in my browser. With the Core Rule Set 2.2.x, this would have been simple,...

Interpreting IBM Security AppScan findings for IBM Business ...

Blind SQL Injection (type: false_positive): This is a false positive. The following parameters in the AppScan findings are not used in SQL ...

Detecting and Removing Web Application Vulnerabilities with ...

applications; 2) a combination of taint analysis and data mining techniques to identify vulnerabilities with low false positives; 3) a tool that implements ......