owasp-modsecurity-crs
owasp-modsecurity-crs copied to clipboard
Published
20 hours ago •
SpiderLabs
SpiderLabs
FP 942100 MySQLi rule triggered?
Description
I am guessing this fires on just some keywords to trip a MySQLi?
Audit Logs / Triggered Rule Numbers
---XdNJFxoh---B--
POST /F5/status HTTP/1.1
content-length: 212
accept-encoding: gzip, deflate
Host: gateway-dev.company.com
Accept: */*
Postman-Token: 44007447-9226-4bf1-8c65-fe5e9febc882
cache-control: no-cache
User-Agent: PostmanRuntime/7.6.1
Connection: keep-alive
Content-Type: application/json
---XdNJFxoh---C--
{
"address": [
{
"addr1": "2104 GRANT AVE #A",
"addr2": "",
"addr3": "",
"city": "",
"state": "",
"zip": "",
"county": "",
"countryCode": " ",
"type": ""
}
]
}
---XdNJFxoh---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1knc found within ARGS:json.address.array_0.addr1: 2104 GRANT AVE #A"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/F5/status"] [unique_id "158339080551.721980"] [ref "v27,17"]
Linked my issue w dependency here: https://github.com/client9/libinjection/issues/149
Your Environment
- CRS version (e.g., v3.2.0): 3.2/master
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 3.0.4
Confirm. I can trigger this on 942100 as follows:
$> curl localhost -d "foo=2104 GRANT AVE #A"
UNION AVE on the other hand did not match a fingerprint. GRANT AVE citizens get rekt I suppose.
@dune73 another one strikes again!
[id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nok1o found within ARGS:json.billingPreferenceList.array_0.billingPrefSourceInfo.billingPreferenceDescription: CLOSED - OPTION 1 / OPTION 3"]
Not sure what a nok1o is but it reminds me of the word Tokyo for some reason.