Hey Richard, I've seen things CLOSE to this in production. Sites where they've attempted to use prepared statements to secure a location where the variable injected in a table name. Of course prepared statements are designed for this environment and will fail miserably. But this accounts for a situation where all of the following except the word select is true. Granted it's unusual.
From: <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>> on behalf of Richard Lin <hongping...@hotmail.com<mailto:hongping...@hotmail.com>> Date: Wednesday, February 10, 2016 at 7:31 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Need suggestion for a SQLI pattern Hi folks, I just joined the lists one day ago. And would like to seek the opinions of dealing with a SQLI pattern verdict-ed differently between regex rules and libinjection. http://test.com?id=select<http://scanmail.trustwave.com/?c=4062&d=pNy71nQ6my89hadbculWPuIrswrAlseaEkF1b2C_pA&s=5&u=http%3a%2f%2ftest%2ecom%3fid%3dselect> a from table b. I did not make SQLI "select a from table b" as URL encoded for easier discussion here. Basically, libinjection does not consider this string as SQLI although its SQLI pattern is so obvious. Libinjection considers the SQL injections are typically in the context of select * from table where id =%input with or without injection% >From libinjection point of view, the input of "select a from table b" is >unable to join the above statement with correct SQL syntax. But if we just use >regex rules, this input is so easy to marked as SQLI. I would like to seek the >opinion in this group. Do you think the request as "http://test.com?id=select >a from table >b.<http://scanmail.trustwave.com/?c=4062&d=pNy71nQ6my89hadbculWPuIrswrAlseaEhJ6aGfioQ&s=5&u=http%3a%2f%2ftest%2ecom%3fid%3dselect%20a%20from%20table%20b>" > would cause really SQL injection successful in SQL syntax in any site? Thanks Richard ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
