Vlad SuperList
See original GitHub issue_Issue originally created by user csanders-git on date 2016-07-27 23:17:21. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/457._
Rule 942180 evaluation:
We are first evaluating this first alternative of this rule (?:(?i:\d[\"'
]\s+["‘]\s+\d)
The author of the rule did not leave any indication of its use but we can guess some things from some examples.
5" " 5
6’ ’ 6
Etc.
This is actually a very weird oddity of SQL attackercan. The general formula one might expect to see is the follows
SELECT * FROM
xyz WHERE serialized = '$USER_INT';
It turns out the following is also valid SQL:
SELECT * FROM
xyz WHERE serialized = '1''1'
But really SQL will evaluate almost anything. For instance:
SELECT * FROM
xyz WHERE serialized = '1''hey'
In these weird cases, the system doesn’t return anything additional, it’s as if it just forgets about the extra but hey, that doesn’t matter it may be used for determining if there is SQL injection.
Alright so here’s the short and skinny. It seems that ANYTHING can be included after EXCEPT a number in the first digit. Now there are some false positives for valid SQL that we will incure by saying \D (like .5 and -5 are not valid)
The suggested Regex is:
(?:\d[\"'
]\s*?["']\D)
Examples:
SELECT * FROM x
WHERE serialized
= ‘1’ ’ 5’
~!~SELECT * FROM x
WHERE serialized
= ‘1’ ‘5’
SELECT * FROM x
WHERE serialized
= ‘1’ ‘test’
SELECT * FROM x
WHERE serialized
= ‘1’ ’ test’
SELECT * FROM x
WHERE serialized
= ‘1’ ’ ’
SELECT * FROM x
WHERE serialized
= ‘1’ ‘’
SELECT * FROM x
WHERE serialized
= ‘1’‘’
This is likely to have HIGH false positives and therefore should be in PL 3 or 4 since 942180 is already in PL2
Issue Analytics
- State:
- Created 3 years ago
- Comments:22
Top GitHub Comments
User attackercan commented on date 2016-07-28 09:36:51:
Rule 921120
Full description of found problem here: https://github.com/netty/netty/issues/5535 Proposition looks goodUser csanders-git commented on date 2016-07-29 15:17:12:
Add new rule 920270 to CRS 2.x for backwards compatibility
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer “@validateByteRange 1-255”