[Owasp-modsecurity-core-rule-set] What is client doing to trigger SQL Tautology?

Wed, 23 Jul 2014 02:15:06 -0700 

Hello
We are running a payment system used by webshops. Now one new client gets a 403, I want to find out why so I can help client to configure their shop correctly. modsec logs tell me what rule is triggered, but I can't read out what data the client sends in. This only happens to this new client, so I will not modify my ruleset. I just need to assist our client who is obviously doing something wrong. 

   [22/Jul/2014:13:10:37 +0200] U85GrQpABwsAAGYtLgkAAAAC 10.64.7.5
   49941 10.64.7.11 443
   --ed091d42-B--
   POST /webshophtml/e/auth.php HTTP/1.1
   Host: our.payment.net
   Connection: keep-alive
   Content-Length: 951
   Cache-Control: max-age=0
   Accept:
   text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
   Origin: http://client_webshop.se
   User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
   (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
   Content-Type: application/x-www-form-urlencoded
   Referer: http://client_webshop.se/checkout.php?sl=0&st=0
   Accept-Encoding: gzip,deflate,sdch
   Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4
   Cookie: _jss_popform_1524_count=1;
   
_jss_pstor=id%3Dda15bb533c3296281a7a3bad96266f93%3Afi%3D1404769754%3Ali%3D1404770148%3Aic%3D5%3Avc%3D1%3Anc%3D9f3d16019cf6fe2b%3A19f22ab828ca19a9cac8b0eed51911c0;
   __utma=188767033.1851339114.1404769702.1404769702.1404769702.1;
   __utmz=188767033.1404769702.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
   X-Forwarded-For: #.#.#.#

   --ed091d42-F--
   HTTP/1.1 403 Forbidden
   Content-Length: 224
   Keep-Alive: timeout=5, max=100
   Connection: Keep-Alive
   Content-Type: text/html; charset=iso-8859-1

   --ed091d42-E--

   --ed091d42-H--
   Message: Access denied with code 403 (phase 2). Pattern match
   
"(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\
   ..." at REQUEST_COOKIES:_jss_pstor. [file
   "sec_rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line
   "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL
   Tautology Detected."] [data "Matched Data: d=d found within
   REQUEST_COOKIES:_jss_pstor:
   
id=da15bb533c3296281a7a3bad96266f93:fi=1404769754:li=1404770148:ic=5:vc=1:nc=9f3d16019cf6fe2b:19f22ab828ca19a9cac8b0eed51911c0"]
   [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"]
   [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
   "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag
   "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
   Action: Intercepted (phase 2)
   Apache-Handler: php5-script
   Stopwatch: 1406027437541081 3150 (- - -)
   Stopwatch2: 1406027437541081 3150; combined=1945, p1=330, p2=1581,
   p3=0, p4=0, p5=33, sr=99, sw=1, l=0, gc=0
   Response-Body-Transformed: Dechunked
   Producer: ModSecurity for Apache/2.8.0
   (http://www.modsecurity.org/); OWASP_CRS/2.2.7.
   Server: Apache
   Engine-Mode: "ENABLED"

Regards
Peter Haraldson

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set






















					Reply via email to