Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

FP 942100 MySQLi rule triggered? #1711

Open
jeremyjpj0916 opened this issue Mar 5, 2020 · 3 comments
Open

FP 942100 MySQLi rule triggered? #1711

jeremyjpj0916 opened this issue Mar 5, 2020 · 3 comments
Assignees
@franbuehler
Labels
False Positive libinjection

Comments

@jeremyjpj0916
Copy link
Contributor

jeremyjpj0916 commented Mar 5, 2020
edited
Loading

Description

I am guessing this fires on just some keywords to trip a MySQLi?

Audit Logs / Triggered Rule Numbers

---XdNJFxoh---B--
POST /F5/status HTTP/1.1
content-length: 212
accept-encoding: gzip, deflate
Host: gateway-dev.company.com
Accept: */*
Postman-Token: 44007447-9226-4bf1-8c65-fe5e9febc882
cache-control: no-cache
User-Agent: PostmanRuntime/7.6.1
Connection: keep-alive
Content-Type: application/json

---XdNJFxoh---C--
{
        "address": [
          {
            "addr1": "2104 GRANT AVE #A",
            "addr2": "",
            "addr3": "",
            "city": "",
            "state": "",
            "zip": "",
            "county": "",
            "countryCode": " ",
            "type": ""
          }
        ]
}

---XdNJFxoh---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1knc found within ARGS:json.address.array_0.addr1: 2104 GRANT AVE #A"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/F5/status"] [unique_id "158339080551.721980"] [ref "v27,17"]

Linked my issue w dependency here: client9/libinjection#149

Your Environment

  • CRS version (e.g., v3.2.0): 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
@dune73
Copy link
Contributor

dune73 commented Mar 5, 2020

Confirm. I can trigger this on 942100 as follows:

$> curl localhost -d "foo=2104 GRANT AVE #A"

@jeremyjpj0916 jeremyjpj0916 mentioned this issue Mar 5, 2020
Open
@jeremyjpj0916
Copy link
Contributor Author

UNION AVE on the other hand did not match a fingerprint. GRANT AVE citizens get rekt I suppose.

@jeremyjpj0916
Copy link
Contributor Author

@dune73 another one strikes again!

[id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nok1o found within ARGS:json.billingPreferenceList.array_0.billingPrefSourceInfo.billingPreferenceDescription: CLOSED - OPTION 1 / OPTION 3"]

Not sure what a nok1o is but it reminds me of the word Tokyo for some reason.

@franbuehler franbuehler self-assigned this May 4, 2020
@franbuehler franbuehler mentioned this issue May 4, 2020
Closed
@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@franbuehler franbuehler

Labels
False Positive libinjection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dune73 @franbuehler @jeremyjpj0916