On Wed, Aug 17, 2011 at 2:02 PM, Jason Haar <[email protected]> wrote: > Me too - I'm seeing 981248 and 981173 trigger on cookies containing "7or" > and "8Or" (ie "8or"). Sounds like there's a bunch of rules that are > triggering on 3-char matches - that is waaaaay too small - the FP rate is > guaranteed to be large! > > (I just joined today and the very first email I see is about the very > problem I just joined the list about. Freaky)
The "trouble" from my perspective is it's difficult to determine whether there is some nuance of SQL injection that the rules are catering to that I'm not seeing. For your example it's fairly easy to understand that "7or 1=1", "7or true", "or'true'" etc would be a problem, eg if SQL such as: select * from thing where thingid=(variable) were exploitable. It's not immediately clear (to me) that "7or" is enough to trigger an exploit but the worry that I'm just not seeing something makes me reticent to modify rules. At the moment I find it difficult to determine the specific intent behind the more complex rules. Without an explanation of exactly what they are supposed to catch (and why) it's difficult to know if they are over-zealous. Paul > > Jason > > On 17/08/11 15:34, Paul McGarry wrote: > > Hi all, > > I am seeing quite a lot of false positives on SQL injection errors. > > On of them is rule 981242 which is objecting to a cookie: > test=asfnsdh2fub9tl6gt0mand504 > with the regex: > (\"|'|`|´|’|‘)\s*x?or|div|like|between|and\s*(\"|'|`|´|’|‘)?\d > matching on "and5" > > 1) Is the regex missing some grouping? > As written it seems that (x)or is being treated differently than > div/like/between/and, ie the (x)or case requires one of the quote > characters before it while the others don't. > Should that part of the regex be: > (\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)\s*(\"|'|`|´|’|‘)?\d > > 2) Should "and" being followed directly by a number, without space or > a quote, be a match? > On my SQL server (Postgres) I think "and5" would be a syntax error (as > opposed to "and'5" or "and 5" > Would: > (\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)(?:(\"|'|`|´|’|‘)|\s+(\"|'|`|´|’|‘)?)\d > be a tighter match? > > Paul > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
