Re: [Owasp-modsecurity-core-rule-set] RegEx in CRS 3.0.2 942200 too broad?
Hi Ken, The regex is: ,.*?[)\da-f\"'`][\"'`][^\"'`]+ from: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1/dev/util/regexp-assemble/regexp-942200.data#L3 What exactly matches from your quote is: , "to be, or not to be". , from regex matches , .*? from regex matches "to be, or not to b [)\da-f\"'`] from regex matches e [\"'`] from regex matches " [^\"'`]+ from regex matches . The following sentence would not match, because of the x instead of the e: To quote William Shakespeare, "to be, or not to bx". These are short examples which also match: ,"". ,2". ,a". I have to admit that I don't have the expertise to fully understand the sql injection covered with it. The message of the rule is: msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination'. The whole source of the rule is: ,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`] ,.*?[)\da-f\"'`][\"'`]\Z ,.*?[)\da-f\"'`][\"'`][^\"'`]+ \Wselect.+\W*?from select\s*?\(\s*?space\s*?\( create\s*?\(\s*?space\s*?\( rename\s*?\(\s*?space\s*?\( truncate\s*?\(\s*?space\s*?\( load\s*?\(\s*?space\s*?\( alter\s*?\(\s*?space\s*?\( delete\s*?\(\s*?space\s*?\( update\s*?\(\s*?space\s*?\( insert\s*?\(\s*?space\s*?\( desc\s*?\(\s*?space\s*?\( I don't see any checks for comment obfuscated injections here. We have other rules which check for comments, for example: 942440. I am also not sure if these checks for literally "spaces" are originally intended? I think this example shows us that we need to revise the sqli rules as a whole. The rule is already on PL2 because of reported false positives. In the meantime, I think might be considering moving the third or maybe the first three lines of the source file to a stricter sibling on PL3, or we are waiting for the revision of the sqli rules. Franziska ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] RegEx in CRS 3.0.2 942200 too broad?
Hi Ken,
We used to have ML problems, but it seems at least your message went through.
Hopefully OWASP HQ has fixed it for good.
I confirm the FP here and can only add that 942200 has been set to PL2
for causing FPs from time to time.
Franziska Bühler disassembled the regexes of the SQL rules, so you can
take a better look at the sources behind the performance optimized
regexes:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1/dev/util/regexp-assemble/regexp-942200.data
Maybe she can chime in here and add her thoughts on this rule.
Best,
Christian
On Wed, Jan 10, 2018 at 11:23:48AM -0800, Ken Brucker wrote:
>I've been looking at some false positives related to rule 942200.
>
>Side note, I'm running CRS 3.0.2 but the rules still have a version
>3.0.0 tag. I was surprised to see that.
>Here's an exemplar from the audit file:
>Message: Warning. Pattern match
>"(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\W
>select.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|
>update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" at ARGS:data[]. [file
>"/etc/httpd/modsecurity.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI
>.conf"] [line "649"] [id "942200"] [rev "2"] [msg "Detects MySQL
>comment-/space-obfuscated injections and backtick termination"] [data
>"Matched Data: ,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]
>found within ARGS:data[]: [gallery columns=\x225\x22
>size=\x22medium\x22
>ids=\x224953,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]"]
>[severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy
>"8"] [tag "application-multi"] [tag "language-multi"] [tag
>"platform-multi"] [tag "attack-sqli"] [tag
>"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
>"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
>"paranoia-level/2"]
>After looking at this rule a bit, it will trigger on a string like:
>To quote William Shakespeare, "to be, or not to be".
>The first alternative in the regex matches a very broad range of text
>and seems far too general. Is this intentional? It looks like the
>intent is to capture variations on quoted numbers but it's going above
>and beyond.
>
>The rule:
>
>SecRule
>REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAM
>E
>S|ARGS|XML:/*
>"(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:
>\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete
>|update|i
>nsert|desc)\s*?\(\s*?space\s*?\())" \
>"phase:request,\
>rev:'2',\
>ver:'OWASP_CRS/3.0.0',\
>maturity:'9',\
>accuracy:'8',\
>capture,\
>t:none,t:urlDecodeUni,\
>block,\
>msg:'Detects MySQL comment-/space-obfuscated injections and
>backtick ter
>mination',\
>id:942200,\
>tag:'application-multi',\
>tag:'language-multi',\
>tag:'platform-multi',\
>tag:'attack-sqli',\
>tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
>tag:'WASCTC/WASC-19',\
>tag:'OWASP_TOP_10/A1',\
>tag:'OWASP_AppSensor/CIE1',\
>tag:'PCI/6.5.2',\
>tag:'paranoia-level/2',\
>logdata:'Matched Data: %{TX.0} found within
>%{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
>severity:'CRITICAL',\
>setvar:'tx.msg=%{rule.msg}',\
>setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
>setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
>
>setvar:'tx.%{[1]rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=
>%{tx.0}'"
>
> References
>
>1. http://rule.id/
> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
[Owasp-modsecurity-core-rule-set] RegEx in CRS 3.0.2 942200 too broad?
I've been looking at some false positives related to rule 942200.
Side note, I'm running CRS 3.0.2 but the rules still have a version 3.0.0 tag.
I was surprised to see that.
Here's an exemplar from the audit file:
Message: Warning. Pattern match
"(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())"
at ARGS:data[]. [file
"/etc/httpd/modsecurity.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "649"] [id "942200"] [rev "2"] [msg "Detects MySQL
comment-/space-obfuscated injections and backtick termination"] [data "Matched
Data: ,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22] found within
ARGS:data[]: [gallery columns=\x225\x22 size=\x22medium\x22
ids=\x224953,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]"] [severity
"CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"] [tag "paranoia-level/2"]
After looking at this rule a bit, it will trigger on a string like:
To quote William Shakespeare, "to be, or not to be".
The first alternative in the regex matches a very broad range of text and seems
far too general. Is this intentional? It looks like the intent is to capture
variations on quoted numbers but it's going above and beyond.
The rule:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
S|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:
\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|i
nsert|desc)\s*?\(\s*?space\s*?\())" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
block,\
msg:'Detects MySQL comment-/space-obfuscated injections and backtick ter
mination',\
id:942200,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
