[Owasp-modsecurity-core-rule-set] False positive?

Timothy Legge timlegge at gmail.com
Mon Oct 18 09:37:43 EDT 2010


Hi

We have an application that is sending the following data that is
getting blocked with the Core Rules 2.0.5:

GET /pl-ws/json/ReAnon?langID=en-ca&answers=%5B%7B%22q_id%22%3A%221%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%222%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%223%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%224%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%225%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%226%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%227%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%228%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%229%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%2210%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%2211%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%2212%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%2213%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%2214%22%2C%22value%22%3A%220%22%7D%2C%7B%22q_id%22%3A%2215%22%2C%22value%22%3A%220%22%7D%5D

The logs show:

Message: Pattern match
"(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not
|\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\
..." at ARGS:answers. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "156"] [id "900045"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\x22:\x221\x22,\x22v"] [severity
"CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag
"WEB_ATTACK/LFI"]
Message: Pattern match
"(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]
..." at ARGS:answers. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "256"] [id "900042"] [msg "Detects classic SQL injection
probings 1/2"] [data "\x221\x22,\x22v"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Pattern match "(?:(?:n?and|x?or|not
|\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[\%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")"
at ARGS:answers. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "261"] [id "900046"] [msg "Detects basic SQL authentication
bypass attempts 3/3"] [data "\x22q_id\x22:\x22"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Pattern match
"(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)"
at ARGS:answers. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "301"] [id "90008"] [msg "Detects self-executing JavaScript
functions"] [data
",{\x22q_id\x22:\x2214\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x2215\x22,\x22value\x22:\x220\x22}]"]
[severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"]
Message: Pattern match
"(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*o
..." at ARGS:answers. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "326"] [id "900043"] [msg "Detects classic SQL injection
probings 2/2"] [data
"\x22:\x221\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x222\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x223\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x224\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x225\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x226\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x227\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x228\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x229\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x2210\x22,\x22value\x22:\x220\x22},{\x22q_id\x22:\x2211\x22,\x..."]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"]
[tag "WEB_ATTACK/LFI"]
Message: Access denied with code 403 (phase 2). [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_49_enforcement.conf"]
[line "25"] [msg "Anomaly Score Exceeded (score 31): 900043-Detects
classic SQL injection probings 2/2"]

What is the best way to resolve this so the application works while
still preventing real SQL Injection attempts?

regards

Tim


More information about the Owasp-modsecurity-core-rule-set mailing list