SQLi id:942100, false positive on combination of two chars
See original GitHub issue_Issue originally created by user landergate on date 2017-06-05 21:24:18. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/794._
Any thought on why two cyrillic symbols “ор” could trigger this rule? It happens in different conditions near other symbols, but could not happen at all with other symbols.
And what would be the best approach without omitting rules at all?
login=Игорь
It’s a legit cyrillic first name, pronounced as “Igor”.
--5b64322c-C--
login=%D0%98%D0%B3%D0%BE%D1%80%D1%8C&password=anyatall&ga_code=&ajax=1
--5b64322c-F--
HTTP/1.1 403 Forbidden
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1
--5b64322c-E--
--5b64322c-H--
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: \x183>**L**"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: \x183>**L**"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1496644942566002 7540 (- - -)
Stopwatch2: 1496644942566002 7540; combined=6861, p1=334, p2=6523, p3=0, p4=0, p5=4, sr=39, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"
--5b64322c-Z--
login=дор
Just experimenting with “ор” combination.
--16fcc269-C--
login=%D0%B4%D0%BE%D1%80&password=anyatall&ga_code=&ajax=1
--16fcc269-F--
HTTP/1.1 403 Forbidden
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1
--16fcc269-E--
--16fcc269-H--
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 4>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 4>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1496645017148596 7412 (- - -)
Stopwatch2: 1496645017148596 7412; combined=6783, p1=344, p2=6434, p3=0, p4=0, p5=4, sr=39, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"
--16fcc269-Z--
login=ббббббор
--f8b1cd4c-C--
login=%D0%B1%D0%B1%D0%B1%D0%B1%D0%B1%D0%B1%D0%BE%D1%80&password=anyatall&ga_code=&ajax=1
--f8b1cd4c-F--
HTTP/1.1 403 Forbidden
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1
--f8b1cd4c-E--
--f8b1cd4c-H--
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 111111>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. detected SQLi using libinjection with fingerprint '1ov' [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1ov found within ARGS:login: 111111>@"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1496697502659417 7008 (- - -)
Stopwatch2: 1496697502659417 7008; combined=6410, p1=273, p2=6132, p3=0, p4=0, p5=5, sr=38, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"
--f8b1cd4c-Z--
login=Симафор
Not triggering
Issue Analytics
- State:
- Created 3 years ago
- Comments:23
Top Results From Across the Web
SQLi id:942100, false positive on combination of two chars #794
Any thought on why two cyrillic symbols "ор" could trigger this rule? It happens in different conditions near other symbols, but could not ......
Read more >False Positive Mitigation for SQL Injection signatures
1. Go to Web Protection > Known Attacks > Signatures. 2. Select the signature policy to open the edit panel.
Read more >Handling False Positives with the OWASP ModSecurity Core ...
So, I went and created false positives from scratch in my browser. With the Core Rule Set 2.2.x, this would have been simple,...
Read more >Interpreting IBM Security AppScan findings for IBM Business ...
Blind SQL Injection (type: false_positive): This is a false positive. The following parameters in the AppScan findings are not used in SQL ...
Read more >Detecting and Removing Web Application Vulnerabilities with ...
applications; 2) a combination of taint analysis and data mining techniques to identify vulnerabilities with low false positives; 3) a tool that implements ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
User dune73 commented on date 2020-03-04 08:06:21:
Decision during the CRS project chat on March 2, 2020: dune73 will get in touch with the libinjection project to try and get things moving again.
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1683#issuecomment-593584538
User AirisX commented on date 2019-05-29 14:41:12:
Some words about CP1251 mapping.
Unicode table contains a special range for Cyrillic characters. This is 0400 - 04FF (https://unicode-table.com/en/blocks/cyrillic/). They are used in many languages, the writing of which is based on them. But as for the Russian language, this range is much narrower: 0410 - 044F and two characters outside this range are 0401 (letter “Ё”) and 0451 (small letter “ё”). Thus, I think the correct filling of CP1251 mapping looks like this:
0410:c0 0411:c1 0412:c2 0413:c3 0414:c4 0415:c5 0416:c6 0417:c7 0418:c8 0419:c9 041a:ca 041b:cb 041c:cc 041d:cd 041e:ce 041f:cf 0420:d0 0421:d1 0422:d2 0423:d3 0424:d4 0425:d5 0426:d6 0427:d7 0428:d8 0429:d9 042a:da 042b:db 042c:dc 042d:dd 042e:de 042f:df 0430:e0 0431:e1 0432:e2 0433:e3 0434:e4 0435:e5 0436:e6 0437:e7 0438:e8 0439:e9 043a:ea 043b:eb 043c:ec 043d:ed 043e:ee 043f:ef 0440:f0 0441:f1 0442:f2 0443:f3 0444:f4 0445:f5 0446:f6 0447:f7 0448:f8 0449:f9 044a:fa 044b:fb 044c:fc 044d:fd 044e:fe 044f:ff 0401:a8 0451:b8
Using this mapping for payload with russian characters will not lead to a false positive in example with “Игорь”.
But code page 1251 also contains characters of the Ukrainian, Bulgarian and Belarusian alphabets. Such as ї, Ї, і, І and so on (see http://ascii-table.com/codepage.php?1251). They also need to be added to the mapping.