coreruleset icon indicating copy to clipboard operation
coreruleset copied to clipboard
verified publisher icon coreruleset

FP on 942290 ($in in cookie)

Open FlavienSR opened this issue 1 month ago • 6 comments

Description

There is a false positive on rule 942290 (Finds basic MongoDB SQL injection attempts) because of the way of some applications use cookies (notably MixPanel and PostHog as far as i found) that have variable starting with $initial or something else sometimes

How to reproduce the misbehavior (-> curl call)

curl -I -L "https://anything.com/" -H 'Cookie: mp_123_mixpanel={"distinct_id":"test","$device_id":"test","$initial_referrer":"https://example.com"}'

Logs

I use Coraza

1:51PM ERR [client "<ip_address>"] Coraza: Warning. Finds basic MongoDB SQL injection attempts [file "@owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "10243"] [id "942290"] [rev ""] [msg "Finds basic MongoDB SQL injection attempts"] [data "Matched Data: $in found within REQUEST_COOKIES:mp_123_mixpanel: {\"distinct_id\":\"test\",\"$device_id\":\"test\",\"$initial_referrer\":\"https://example.com\"}"] [severity "critical"] [ver "OWASP_CRS/4.17.1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-SQLI"] [tag "capec/1000/152/248/66"] [hostname "<ip_address>"] [uri "/"] [unique_id "FOEEMWRIZHEAKTBM"]

Your Environment

  • CRS version (e.g., v3.3.4): 4.17.1
  • Paranoia level setting (e.g. PL1) : PL1
  • ModSecurity version (e.g., 2.9.6): Coraza v3.3.3
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): I use Coraza with HAProxy (Coraza SPOA)
  • Operating System and version: HAProxy on Debian 11, Coraza on Debian 12

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

FlavienSR avatar Nov 20 '25 13:11 FlavienSR

Thank you for the report.

The entropy of this cookie, ^mp_[\w]{32}_mixpanel$, can trigger up to eight CRS rules - 942290 is only one among several.

Even if improvements were made to 942290, it unfortunately wouldn’t change the fact that its entropy is not CRS-friendly.

I suggest treating it as a false positive.

touchweb-vincent avatar Nov 20 '25 14:11 touchweb-vincent

Even if it's only PL1?

FlavienSR avatar Nov 20 '25 14:11 FlavienSR

This is one of a handful of rules, that fail on random input because their minimal patterns are relatively short.

We could move them to a higher paranoia level or make the pattern more specific. Both strategies lead to false negatives (if you stay at PL1, that is).

Because these rules are generally considered important base rules and the tendency to trigger false positives is limited to specific software packages (unlike CRS PL1 942100 that tends to behave like a landmine on English text), we have so far opted to disappoint users and telling them to remove the rule via a rule exclusion. Lucky enough, you can limit the rule exclusion to the cookie mp_123_mixpanel.

For some software packages we did rule exclusion plugins (CRS4), that provide a list of standard rule exclusion when working with said software. I think that could be viable here as well. Somebody with some knowledge of the software in question (-> you?) would simply have to contribute the work. The project is usually open to additional rule exclusion plugins.

dune73 avatar Nov 20 '25 14:11 dune73

Even if it's only PL1?

As observed here, this is the only PL1 rule that gets triggered; the others are in PL2 and PL3.

touchweb-vincent avatar Nov 20 '25 14:11 touchweb-vincent

This is one of a handful of rules, that fail on random input because their minimal patterns are relatively short.

We could move them to a higher paranoia level or make the pattern more specific. Both strategies lead to false negatives (if you stay at PL1, that is).

Because these rules are generally considered important base rules and the tendency to trigger false positives is limited to specific software packages (unlike CRS PL1 942100 that tends to behave like a landmine on English text), we have so far opted to disappoint users and telling them to remove the rule via a rule exclusion. Lucky enough, you can limit the rule exclusion to the cookie mp_123_mixpanel.

For some software packages we did rule exclusion plugins (CRS4), that provide a list of standard rule exclusion when working with said software. I think that could be viable here as well. Somebody with some knowledge of the software in question (-> you?) would simply have to contribute the work. The project is usually open to additional rule exclusion plugins.

I already have some CRS plugins and they are great, unfortunately I definitely do not have the knowledge to create one for MixPanel or PostHog, I noticed it was these softwares after searching how the cookies are formed, I have no knowledge whatsoever with how they work, I wished

I guess I'll just make a basic rule exclusion, thanks

FlavienSR avatar Nov 20 '25 15:11 FlavienSR

Thanks for your understanding. And sorry for being of little assistance here. But please keep reporting false positives. Very often, we just don't know about them. This time, the situation was a bit different though.

dune73 avatar Nov 20 '25 15:11 dune73