Thank you Chris… As I looked further at this I came to the same conclusion on the ARG NAME and the data field though didn't quite get the finding in the data field. I'll have to go back and look at the previous section for the complete message.
Again, Thank you -=Steve - From: Christian Bockermann <ch...@jwall.org<mailto:ch...@jwall.org>> Date: Tuesday, March 5, 2013 10:57 AM To: Stephen Canell <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Injection Hi Steve! Am 05.03.2013 um 19:20 schrieb "Canell, Stephen E (1734)" <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>: The following in ARGS: is being identified as SQL Injection: TAOP01U10RhvxuuKxxempg01U10monamzy1 Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*(x?or|div|like| between|and)\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\ x98)$)|(?:(?:^[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x ..." at ARGS:TAOP01U10RhvxuuKxxempg01U10monamzy1. [file "/usr/local/apache2/conf /extra/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "565"] [id "981242"] [msg "Detects classic SQL injection pr obings 1/2"] [data "7 Andr"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] The "TAOP01U10RhvxuuKxxempg01U10monamzy1" string is NOT detected as SQL injection, but simply the name of the PARAMETER that contains the malicious data. The data that triggers your rule is "7 Andr" which you can see in the [data "7 Andr"] part of the rule message. The problem is probably, that the regex of the rule has something like ...|div|like|between|and)\\s*... which says "something with 'and' followed by ANY number of whitespaces". Unfortunately "ANY" also includes 0. So "andr" matches "and" followed by 0 whitespaces and the "r" probably matches some of the rest of the complex regex. I hope that makes sence :-) Best regards, Chris
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
