Posted by kandyjet, 05-24-2013, 04:34 AM | Hello,
we have installed OWASP rule set and now we see the rules in action.
but the following rule does not protect this injection rule
#
# -=[ Detect SQL Comment Sequences ]=-
#
# Example Payloads Detected:
# -------------------------
# OR 1#
# DROP sampletable;--
# admin'--
# DROP/*comment*/sampletable
# DR/**/OP/*bypass blacklisting*/sampletable
# SELECT/*avoid-spaces*/password/**/FROM/**/Members
# SELECT /*!32302 1/0, */ 1 FROM tablename
# ‘ or 1=1#
# ‘ or 1=1-- -
# ‘ or 1=1/*
# ' or 1=1;\x00
# 1='1' or-- -
# ' /*!50000or*/1='1
# ' /*!or*/1='1
# 0/**/union/*!50000select*/table_name`foo`/**/
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
|
Posted by zacharooni, 05-28-2013, 08:48 PM | Hello!
I think you're using this rule file:
https://github.com/SpiderLabs/owasp-...n_attacks.conf
I have attempted to hit the rule with that request, and I can't get it to hit either. I have also tested the regexes against http://regexpal.com to no avail.
I would consider contacting Ryan Barnett or TrustWave SpiderLabs to let them know about this. Otherwise, I might consider using something like:
$clean_var = preg_replace('/[\w\d\s]+/', '', $_POST['var']);
You will need to adjust the regex to your needs, but always have a secondary filter, never trust user input as-is. The above function should replace anything that's not A-Z, a-z, 0-9, or spaces with '', effectively eliminating apostrophes and other characters.
|
Posted by Ramprage, 05-28-2013, 09:02 PM | Yeah those are some pretty insane regex entries on the github link.
Have you tried submitting an issue on their github repo?
https://github.com/SpiderLabs/owasp-...ity-crs/issues
|
Posted by kandyjet, 05-29-2013, 12:58 AM | Thanks for the advise and the useful piece of code
|
Posted by kandyjet, 05-29-2013, 12:59 AM | yah ill take this issue there, thanks for the link ramprage
|
|
Add to Favourites
Print this Article |