[Owasp-modsecurity-core-rule-set] "multiple URL encoding" matching unexpectedly

Ty ty733420 at gmail.com
Tue Apr 1 15:17:59 UTC 2014


I know this rule (950109) has been brought up on this list before because
posters were confused by its behavior for various reasons.  I'm also by
something very specific about it and so I'll get right to the point:

If this string (before URL encoding) appears in a parameter, the rule
matches:

hello%0dworld

Which is expected, and I understand (percent followed by two potentially
hex characters).  What I don't understand is why this string:

hello%world

also causes the rule to match, and I don't understand that (the following
characters are not hexadecimal).  Looking at the regex, it would appear
it's been written to look specifically for hex characters (and their
unicode equivalent):

SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \

But clearly it matches non-hex characters as well.  Am I misunderstanding
how the rule should work, or is there a problem with the rule's regex?

Thanks,
Ty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140401/bc548035/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list