Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Controversial candidate 950120 / 931130 (Possible RFI)

[Walter Hop]

> On 04 Feb 2016, at 10:08, Christian Folini <christian.fol...@netnea.com> 
> wrote:
> 
> With that being said, the blogpost above showed me, that libinjection
> is able to detect a great many sqli and xss attacks. But it is far
> from complete. (See blogpost for numbers) So I think it is _one_ rule
> in a set of rules aimed to stop sqli and xss. Diversity is key.
> 
> Also: A realworld sqlinjection typically triggers a variety of
> anti-sqli rules. With _only_ libinject it would be a single critical
> alert.


I’ve done a little testdrive with the CRS v3.0.0-rc1 rules today and the 
coverage of libinjection for MySQL is pretty complete actually!

When scanning a little vulnerable test app with the dev version of sqlmap in 
two configurations: (1) --random-agent and (2) --random-agent --dbms=mysql, the 
complete CRS v3.0.0-rc1 detected all attempts with mostly high anomaly scores.

Then I disabled all CRSv3’s SQLi and XSS rules, except libinjection's 
@detectSQLi rule. Similarly, almost all attempts were detected just by 
libinjection alone! Out of 380 malicious requests, only the following examples 
were let through by libinjection:

select * from foo where id=1,."'.""',)
select * from foo where id=1'wqffhb<'">wweNuE
select * from foo where id=1) WAITFOR DELAY '0:0:5' AND (9227=9227
select * from foo where id=1 WAITFOR DELAY '0:0:5'
select * from foo where id=1') WAITFOR DELAY '0:0:5' AND ('UUAn'='UUAn
select * from foo where id=1' WAITFOR DELAY '0:0:5' AND 'AzTu'='AzTu
select * from foo where id=1%' WAITFOR DELAY '0:0:5' AND '%'='

(WAITFOR DELAY is Microsoft SQL dialect, usable for blind injection. I’ll try 
this again with a newer libinjection, and if necessary report it upstream.)

Resuming, libinjection’s sensitivity in detecting SQLi is already very 
impressive! So if we ever should find a large false positive rate in an SQLi 
rule in the future, we don’t need to be too sentimental about that single rule, 
as the addition of libinjection in CRS v3 ensures that SQLi should start with a 
nice anomaly score already.

However, I agree with you completely that it’s preferable to leave in any 
useful regexp based rules that we have. I was just curious about libinjection 
since it was an unknown factor to me.

I’ll comment on the individual rules later!

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp


_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set