[Owasp-modsecurity-core-rule-set] "multiple URL encoding" matching unexpectedly

Ryan Barnett RBarnett at trustwave.com
Fri Apr 11 18:04:59 UTC 2014

This regex was modified a long time ago to help prevent false positives when the @validateUrlEncoding operator was used - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#validateUrlEncoding

Without this – the operator would throw errors when it saw any % sign with other chars after it other than the normal ranges.

We will look to improve it for CRS v3.0.0.

Ryan Barnett
Lead Security Researcher, SpiderLabs


From: Ty <ty733420 at gmail.com<mailto:ty733420 at gmail.com>>
Date: Tuesday, April 1, 2014 11:17 AM
To: "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] "multiple URL encoding" matching unexpectedly

I know this rule (950109) has been brought up on this list before because posters were confused by its behavior for various reasons.  I'm also by something very specific about it and so I'll get right to the point:

If this string (before URL encoding) appears in a parameter, the rule matches:


Which is expected, and I understand (percent followed by two potentially hex characters).  What I don't understand is why this string:


also causes the rule to match, and I don't understand that (the following characters are not hexadecimal).  Looking at the regex, it would appear it's been written to look specifically for hex characters (and their unicode equivalent):

SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \

But clearly it matches non-hex characters as well.  Am I misunderstanding how the rule should work, or is there a problem with the rule's regex?



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140411/8b5c3c8a/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list