FP sql injection in pattern with integer after string "update" e.g. "update 1"

[joshi-mohit]

Description

Getting a false positive on 942360

Detects concatenated basic SQL injection and SQLLFI attempts, Matched Data: शिवा ,शिवा update 19 found within ARGS:json.value: शिवा ,शिवा update 19/3/24,शिवा update ,शिवा,पुन्हा कर्तव्य \xe0\xa4

The payload look like
{"key": "recent_search", "value": "\u0936\u093f\u0935\u093e ,\u0936\u093f\u0935\u093e update 19/3/24,\u0936\u093f\u0935\u093e update ,\u0936\u093f\u0935\u093e"}

This is possibly due to Devanagri script. Some of payloads in the website has ascii charcters.
How can we set the correct unicode mapping to have this fixed

Also see this FP on rule 942100--> SQL Injection Attack Detected via libinjection, Matched Data: 1c found within REQUEST_COOKIES:

[dune73]

Sorry for the inconvenience and thanks for reporting @joshi-mohit.

Please share the entire alert messages / error log for your request as well as the engine version and the CRS version.

I presume this was a JSON POST request with the payload listed above.

[joshi-mohit]

Yes this is json post with CRS version 4.0 ---

curl -X POST -H "Content-Type: application/json" -d '{"key": "recent_search", "value": "\u0936\u093f\u0935\u093e,\u0936\u093f\u0935\u093e update 19/3/24,\u0936\u093f\u0935\u093e update ,\u0936\u093f\u0935\u093e"}' http://testmachine/test-endpoint

[dune73]

Thank you. I confirm the false positive:

[2024-03-27 21:19:39.464523] [security2:error] 127.0.0.1:53742 ZgR_WwWq4ZvthzF9IUUbegAAAAA [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\\\s\\\\x0b]+(?:char|group_concat|load_file)\\\\b[\\\\s\\\\x0b]*\\\\(?|end[\\\\s\\\\x0b]*?\\\\);)|[\\\\s\\\\x0b\\\\(]load_file[\\\\s\\\\x0b]*?\\\\(|[\\"'`][\\\\s\\\\x0b]+regexp[^0-9A-Z_a-z]|[\\"'0-9A- ..." at ARGS:value. [file "/home/dune73/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "488"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: \\xe0\\xa4\\xb6\\xe0\\xa4\\xbf\\xe0\\xa4\\xb5\\xe0\\xa4\\xbe,\\xe0\\xa4\\xb6\\xe0\\xa4\\xbf\\xe0\\xa4\\xb5\\xe0\\xa4\\xbe update 19 found within ARGS:value: \\xe0\\xa4\\xb6\\xe0\\xa4\\xbf\\xe0\\xa4\\xb5\\xe0\\xa4\\xbe,\\xe0\\xa4\\xb6\\xe0\\xa4\\xbf\\xe0\\xa4\\xb5\\xe0\\xa4\\xbe update 19/3/24,\\xe0\\xa4\\xb6\\xe0\\xa4\\xbf\\xe0\\xa4\\xb5\\xe0\\xa4\\xbe update ,\\xe0\\xa4\\xb6\\xe0\\xa4\\xbf\\xe0\\xa4\\xb5\\xe0\\xa4\\xbe"] [severity "CRITICAL"] [ver "OWASP_CRS/4.2.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS [hostname "localhost"] [uri "/"] [unique_id "ZgR_WwWq4ZvthzF9IUUbegAAAAA"]


Debug Log:

[27/Mar/2024:21:21:24.576963 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] T (0) urlDecodeUni: "\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19/3/24,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update ,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe"
[27/Mar/2024:21:21:24.576966 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][4] Transformation completed in 4 usec.
[27/Mar/2024:21:21:24.576977 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][4] Executing operator "rx" with param "(?i)\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\x0b]+(?:char|group_concat|load_file)\\b[\\s\\x0b]*\\(?|end[\\s\\x0b]*?\\);)|[\\s\\x0b\\(]load_file[\\s\\x0b]*?\\(|[\"'`][\\s\\x0b]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\\s\\x0b]+as\\b[\\s\\x0b]*[\"'0-9A-Z_-z]+[\\s\\x0b]*\\bfrom|^[^A-Z_a-z]+[\\s\\x0b]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\x0b]+[0-9A-Z_a-z]+|u(?:pdate[\\s\\x0b]+[0-9A-Z_a-z]+|nion[\\s\\x0b]*(?:all|(?:sele|distin)ct)\\b)|alter[\\s\\x0b]*(?:a(?:(?:ggregat|pplication[\\s\\x0b]*rol)e|s(?:sembl|ymmetric[\\s\\x0b]*ke)y|u(?:dit|thorization)|vailability[\\s\\x0b]*group)|b(?:roker[\\s\\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stanc
[27/Mar/2024:21:21:24.576981 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Target value: "\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19/3/24,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update ,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe"
[27/Mar/2024:21:21:24.576986 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Added regex subexpression to TX.0: \xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19
[27/Mar/2024:21:21:24.576995 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][4] Operator completed in 12 usec.
[27/Mar/2024:21:21:24.576998 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Setting variable: tx.sql_injection_score=+%{tx.critical_anomaly_score}
[27/Mar/2024:21:21:24.577002 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Recorded original collection variable: tx.sql_injection_score = "0"
[27/Mar/2024:21:21:24.577006 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Resolved macro %{tx.critical_anomaly_score} to: 5
[27/Mar/2024:21:21:24.577009 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Relative change: sql_injection_score=0+5
[27/Mar/2024:21:21:24.577011 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Set variable "tx.sql_injection_score" to "5".
[27/Mar/2024:21:21:24.577014 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Setting variable: tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}
[27/Mar/2024:21:21:24.577019 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Recorded original collection variable: tx.inbound_anomaly_score_pl1 = "0"
[27/Mar/2024:21:21:24.577026 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Resolved macro %{tx.critical_anomaly_score} to: 5
[27/Mar/2024:21:21:24.577029 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Relative change: inbound_anomaly_score_pl1=0+5
[27/Mar/2024:21:21:24.577031 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Set variable "tx.inbound_anomaly_score_pl1" to "5".
[27/Mar/2024:21:21:24.577039 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Resolved macro %{TX.0} to: \xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19
[27/Mar/2024:21:21:24.577044 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Resolved macro %{MATCHED_VAR_NAME} to: ARGS:value
[27/Mar/2024:21:21:24.577047 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][9] Resolved macro %{MATCHED_VAR} to: \xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19/3/24,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update ,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe
[27/Mar/2024:21:21:24.577097 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][2] Warning. Pattern match "(?i)\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\x0b]+(?:char|group_concat|load_file)\\b[\\s\\x0b]*\\(?|end[\\s\\x0b]*?\\);)|[\\s\\x0b\\(]load_file[\\s\\x0b]*?\\(|[\"'`][\\s\\x0b]+regexp[^0-9A-Z_a-z]|[\"'0-9A- ..." at ARGS:value. [file "/home/dune73/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "488"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: \xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19 found within ARGS:value: \xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update 19/3/24,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe update ,\xe0\xa4\xb6\xe0\xa4\xbf\xe0\xa4\xb5\xe0\xa4\xbe"] [severity "CRITICAL"] [ver "OWASP_CRS/4.2.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS
[27/Mar/2024:21:21:24.577120 +0100] [localhost/sid#5569b9ab7478][rid#7fd7c4004c30][/][4] Rule returned 1.

[dune73]

It's in fact not the unicode at all. Here is the minimal payload:

$ curl -X POST -H "Content-Type: application/json" -d '{"key": "recent_search", "value": " update 1"}' localhost

Notice the space before the update.

[dune73]

Could you rename the issue, please, @joshi-mohit.

[joshi-mohit]

Thanks a lot Dune. Would like to understand and learn from you the art of getting the minimum payload or understanding from logs the exact pattern causing this.
Is there any way this pattern can be modified to avoid this FP?

[dune73]

We'll look into the pattern to see if we can work around the false positive, since your payload sounds fairly natural and nothing overly dangerous.

As for getting the minimal payload: I was just playing around with the payload:

• Recreate FP with curl with full payload
• Reduce payload step by step while always making sure the rule is still triggered

It's not really an art, just working through it in a more or less systematic way. Working with ModSec 2.9 with SecDebugLogLevel 9 helps a bit.

[github-actions]

This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days