-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FP sql injection in pattern with integer after string "update" e.g. "update 1" #3630
Comments
Sorry for the inconvenience and thanks for reporting @joshi-mohit. Please share the entire alert messages / error log for your request as well as the engine version and the CRS version. I presume this was a JSON POST request with the payload listed above. |
Yes this is json post with CRS version 4.0 ---
|
Thank you. I confirm the false positive:
|
It's in fact not the unicode at all. Here is the minimal payload:
Notice the space before the |
Could you rename the issue, please, @joshi-mohit. |
Thanks a lot Dune. Would like to understand and learn from you the art of getting the minimum payload or understanding from logs the exact pattern causing this. |
We'll look into the pattern to see if we can work around the false positive, since your payload sounds fairly natural and nothing overly dangerous. As for getting the minimal payload: I was just playing around with the payload:
It's not really an art, just working through it in a more or less systematic way. Working with ModSec 2.9 with SecDebugLogLevel 9 helps a bit. |
This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days |
Description
Getting a false positive on 942360
Detects concatenated basic SQL injection and SQLLFI attempts, Matched Data: शिवा ,शिवा update 19 found within ARGS:json.value: शिवा ,शिवा update 19/3/24,शिवा update ,शिवा,पुन्हा कर्तव्य \xe0\xa4
The payload look like
{"key": "recent_search", "value": "\u0936\u093f\u0935\u093e ,\u0936\u093f\u0935\u093e update 19/3/24,\u0936\u093f\u0935\u093e update ,\u0936\u093f\u0935\u093e"}
This is possibly due to Devanagri script. Some of payloads in the website has ascii charcters.
How can we set the correct unicode mapping to have this fixed
Also see this FP on rule 942100--> SQL Injection Attack Detected via libinjection, Matched Data: 1c found within REQUEST_COOKIES:
The text was updated successfully, but these errors were encountered: