Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQLi bypass detection: ticks and backticks #1335

Open
wants to merge 4 commits into
base: v3.2/dev
from

Conversation

Projects
None yet
5 participants
@franbuehler
Copy link
Collaborator

commented Apr 2, 2019

This PR resolves issue #1181 by adding a new rule 942510 at PL2 with severity CRITICAL.
Two ticks and backticks are detected.
Please have a look at issue #1181 for more information.

I am not sure if this new rule leads to false positives. I'm thankful for tests.

@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Apr 2, 2019

wow, now you give full throttle :-)
thats great!
i will test it for FPs.

@dune73

This comment has been minimized.

Copy link
Collaborator

commented Apr 2, 2019

Very welcome PR. Thanks @franbuehler.

Unfortunately, Travis got the hickups:

Sending build context to Docker daemon  8.704kB
Step 1/13 : FROM owasp/modsecurity:v2-ubuntu-apache
manifest for owasp/modsecurity:v2-ubuntu-apache not found
@theMiddleBlue

This comment has been minimized.

Copy link
Collaborator

commented Apr 3, 2019

awesome! I can't match anything on my logs with that regex, and this sounds good to me :D maybe it could be suitable for PL1?

@franbuehler

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 3, 2019

Thank you!!
Yes, I know. The tag v2-ubuntu-apache is missing.
It would be cool to move this rule to PL1. We would cover this bypass in the default installation.
I was afraid of false positive. If we don't have FP, I will move this rule to PL1 🎉

@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Apr 3, 2019

@franbuehler pls wait with moving to PL1 until i finished my tests tommorow.

@dune73

This comment has been minimized.

Copy link
Collaborator

commented Apr 24, 2019

Any news here @emphazer?

Set string between ticks to a minimum of 2 and a maximum of 25 charac…
…ters because of FP and add detection base64 encoded strings
@franbuehler

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 26, 2019

In an English text FP are possible:

Let's do this. Bla bla bla bla bla bla. We'll see....

That's why I added {2.25}.
The minimum text between the ticks must be 2 (if, for example) and a maximum of 25. 25 is a compromise: The lower this number (25), the lower the probability of FP and the higher the probability of false negatives.
@emphazer also added Base64-encoded strings between the ticks to avoid evasions as described in #369.
Thank you for working with me on this rule, @emphazer!

@spartantri

This comment has been minimized.

Copy link
Collaborator

commented Apr 26, 2019

Hi, php may not need the tailing = to decode properly, why not extracting what looks like base64 and decode it and then do the checks, also this one is pretty good candidate for a false positive nightmare, it matches
'my dog'
'your cat'

@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Apr 29, 2019

@spartantri we want to match base64 encoded stuff and don't care about whats inside.
for example 'EihwkakiFuosyONxLKpFVTtihFQTeorKbgWAOoip' or 'PD9waHAgCmVycm9yX3JlcG9ydGluZygwKTtzZXRfdGltZV9saW1pdCgwKTskYT1iYXNlNjRfZGVjb2RlKCJZIi4iWCIuIk4iLiJ6Ii4iWiIuIlgiLiJKIi4iMCIpOyRhKEAkeyJfUCIuIk8iLiJTIi4iVCJ9W3Jvc2VdKTs/Pg=='
stuff like that is not very common in a normal CMS etc...

@franbuehler
could you raise the max number to 29 pls?
in my tests i get the best results here with a minimum of FPs

@dune73 dune73 added the Needs action label May 5, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator

commented May 5, 2019

Adding "needs action" label. Either raise as requests, or explain why 25 is OK.

Other than that this look like something we could merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.