932140 (Remote Command Execution: Windows FOR/IF Command Found) FP on SAML data #671
I'm running SimpleSAMLPhp as a SAML IdP behind mod_security-2.9.1 with the OWASP_CRS/3.0.0 ruleset and 932140 triggers on some SAML transactions
SAML involves large digitally signed PEM encoded blobs flying through via POST and I think the simple matching on 2chars really makes this rule likely to FP
Attached is an alert showing that rule hit some base64 encoded chars "if3q"
referenced this issue
Jan 3, 2017
So what do we do with this and with #675? I get the feeling, these issues are part of a bigger group of false positives that involve 1-2 dozens of rules, some of them PL1, that may trigger on (seemingly) random data.
Seemingly random data exists in the form of Base64 encoded payloads, client-side encryption of request parameters, etc.
I think we need to solve this at least for PL1. Whatever solving really means. With FOR/IF it looks really tough.