False positive in json body, marked as SQL injection attemp

[FlorianIragne]

Description

coraza (through coraza-spoa + haproxy) is marking a json body as sql injection attempt

Steps to reproduce

make a post request with this json body :

{"id": "51--ZfvVzOI"}

Expected result

the request should pass the filter

Actual result

request is denied and flagged as sql injection

1:37PM ERR [client "*********"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/etc/coraza-spoa/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "9275"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS:json.id: 51--ZfvVzOI"] [severity "critical"] [ver "OWASP_CRS/4.17.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-SQLI"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "*********"] [uri "/"] [unique_id "KHFLHICXBZMKOSWO"]
1:37PM ERR [client "*******] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "/etc/coraza-spoa/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "12093"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.17.0-dev"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "****"] [uri "/"] [unique_id "KHFLHICXBZMKOSWO"]

[FlorianIragne]

adding a comment to say that this error seems not deterministic. If i do the same post several times in row, only a few are detected as sql injection

[jptosso]

Moving issue to libinjection-go

[fzipi]

This is the same as upstream https://github.com/libinjection/libinjection/issues/45