Hi all, I am seeing quite a lot of false positives on SQL injection errors.
On of them is rule 981242 which is objecting to a cookie: test=asfnsdh2fub9tl6gt0mand504 with the regex: (\"|'|`|´|’|‘)\s*x?or|div|like|between|and\s*(\"|'|`|´|’|‘)?\d matching on "and5" 1) Is the regex missing some grouping? As written it seems that (x)or is being treated differently than div/like/between/and, ie the (x)or case requires one of the quote characters before it while the others don't. Should that part of the regex be: (\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)\s*(\"|'|`|´|’|‘)?\d 2) Should "and" being followed directly by a number, without space or a quote, be a match? On my SQL server (Postgres) I think "and5" would be a syntax error (as opposed to "and'5" or "and 5" Would: (\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)(?:(\"|'|`|´|’|‘)|\s+(\"|'|`|´|’|‘)?)\d be a tighter match? Paul _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
