Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Bypass SQL Injection Rules #comment symbol with logical operator should be blocked #797
sorry i just confused with both OWASP CRS and Comodo WAF rules. i think i made a mistake.. i just checked again OWASP CRS 3 with these payloads. libinjection detect these below payloads. so no way to bypass sql injection rules.
In case, if any application which support base 64 encoding as a input for some purpose
id is the point of entry for attacker to try all injection attack.
Check the demo Video
So OWASP CRS 3 cannot able to detect base64 encoded sql injection payload unless user customize the rules to prevent these attack. so we need to make it better for user to prevent these attacks.
We already discuss these problem and solution for the issue Base 64 Encoding Payloads
so we can implement it as a optional rule in OWASP CRS 3.
these are very similar to #782 perhaps we should combine ticket.. love the /*! SQL specific comment, that was in some of the research we just posted as well. I think we might be able to just look for that sequence as i don't think it'd offer high FPs thoughts?
I am a bit overwhelmed with the different sqli evasion tickets now. However, I get the feeling this one is distinct from #782. And we need to think about attaching new detection mechanism to existing rules (vs. creating new rules).
Specific to this one: At what PL is this an evasion? (could check myself, but I am hungry now. :)
In ModSecurity 2.9.2, these payloads all produce alerts in PL1 thanks to libinjection. So I think we are good to go, and we can close this issue! Thanks for checking. :)