libinjection icon indicating copy to clipboard operation
libinjection copied to clipboard

Published 20 hours ago verified publisher icon client9

False positive on PHP SESSION cookie (ID: 942100)

Open pryley opened this issue 6 years ago • 0 comments

One of the users of our software is getting a SQLi false positive (id: 942100) on the contents of a PHP SESSION cookie:

Matched Data: n&1 found within REQUEST_COOKIES:_glsr_session: f1348d75e7764ae938dcf4357e9a19f1||1547417923||1547417563"

The contents of the SESSION cookie are as follows:

  1. "||" is used as the delimiter.

  2. The first part is a MD5 encoded string that serves as the session ID. This string is generated with the following code: md5(( new PasswordHash( 8, false ))->get_random_bytes( 32 ));

  3. The second part is the expiry timestamp string. This string is generated with the following code: time() + (24 * 60); // 24 minutes

  4. The third and final part is the expiry reset timestamp string. This string is generated with the following code: time() + (30 * 60); // 30 minutes

I'm guessing that the problem here is being caused by the delimiter, particularly the specific part of the string that is: 1||1. Perhaps libinjection is reading this as 1 OR 1.

Possible temporary solution:

Based on this issue, I have determined that a temporary fix would be to create a custom exception rule to the Modsecurity config:

SecRuleUpdateTargetById 942100 "!REQUEST_COOKIES:_glsr_session"

However, this is less than ideal as I cannot expect all of my users (or at least the ones with modsecurity active on their server) to have the knowledge and ability to do this.

Possible permanent solution:

If my assumptions above are correct, then the permanent solution (other than libinjection improving its detection routines) is to change the delimiter I am using to something else (i.e. __). However, since I do not use modsecurity, it will be impossible for me to verify this.

Here is the full error from the error log:

ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'n&1' [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within REQUEST_COOKIES:_glsr_session: f1348d75e7764ae938dcf4357e9a19f1||1547417923||1547417563"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "the-website.com"] [uri "/"] [unique_id "XDuyP1V58gUkpQnNW14QXQAAAQc"]

pryley avatar Jan 14 '19 16:01 pryley