Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SQLi using scientific notation not detected at PL1

See original GitHub issue

Description

New SQLi attack using scientific notation of numbers:

https://blog.h3xstream.com/2021/10/bypassing-modsecurity-waf.html

Author thinks libinjection should catch it, maybe better to catch it with regexp rules too.

We catch it just fine at PL2, but PL1 would be sweet.

curl localhost -d "foo=1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2"

Your Environment

CRS version (e.g., v3.2.0): CRS 3.4/dev
Paranoia level setting: PL1
ModSecurity version (e.g., 2.9.3): 2.9.4
Web Server and version (e.g., apache 2.4.41): Apache
Operating System and version: Ubuntu

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created 2 years ago
Comments:11 (10 by maintainers)

Top GitHub Comments

1reaction

dune73commented, Dec 15, 2022

OK. We’re catching this at PL2 as is. Catching it at PL1 would have been cool, but there is no pressing need (as we catch it at PL2).

We’re unsure of FPs and any systematic FP tests will only be available after CRS4. I am closing this now to get rid of the deadlock. And if this pops up again in the future we have the necessary discussion and the link to a PoC rule here.

0reactions

fzipicommented, Dec 12, 2022

@dune73 @lifeforms More than one year. Is this relevant, are we going to do something, or we close it?