Update util/regexp-assemble/data/942131.data

Co-authored-by: Max Leske <th3s3ion@gmail.com> Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
coreruleset · Mar 14, 2022 · 1839894 · 1839894
1 parent b1a0ca5
commit 1839894
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 34 deletions.
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -571,7 +571,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:not\s+between\s+(?:(?:(?:'[^']*')|(?:
 #
 # The chained rule then uses the assembled regexp from 942130.data to check for the right hand side of the logical query.
 #
-# To rebuild the regexp:
+# The regexp for the starter rule can't be generated at the moment.
+# For the chained rule, the regexp can be generated from the data file.
+#
 #   cd util/regexp-assemble
 #   ./regexp-assemble.py data/942130.data
 #
@@ -582,21 +584,21 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?" \
     capture,\
     t:none,t:urlDecodeUni,t:replaceComments,\
     msg:'SQL Injection Attack: SQL Boolean-based attack Detected',\
-    logdata:'Matched Data: %{TX.lhs_942130} found within %{MATCHED_VAR_NAME}',\
+    logdata:'Matched Data: %{tx.lhs_942130} found within %{MATCHED_VAR_NAME}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-sqli',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
-    tag:'PCI/6.5.2',\
+    tag:'PCI/6.5.02',\
     tag:'paranoia-level/2',\
     ver:'OWASP_CRS/3.4.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.lhs_942130=%{TX.1}',\
     chain"
-    SecRule MATCHED_VAR "@rx (?i)(?:(?:r(?:egexp|like)|<=>|=)[\s'\"`()]*?(?:\b%{tx.lhs_942130}\b)|(?:sounds\s+)?like[\s'\"`()]*?(?:\b%?%{tx.lhs_942130}%?\b))" \
+    SecRule MATCHED_VARS "@rx (?i)(?:(?:r(?:egexp|like)|<=>|=)[\s'\"`()]*?(?:\b%{TX.lhs_942130}\b)|(?:sounds\s+)?like[\s'\"`()]*?(?:\b%?%{TX.lhs_942130}%?\b))" \
         "setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -605,8 +607,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?" \
 # The regexp written at the initial rule on the chain is the original prefix from the 942130.data.
 # When the prefix matches, we store the match to a new variable for comparing in the chained rule.
 #
+# The regexp for the starter rule can't be generated at the moment.
 # The chained rule then uses the assembled regexp from 942130.data to check for the right hand side of the logical query.
-# To rebuild the regexp:
+#
 #   cd util/regexp-assemble
 #   ./regexp-assemble.py data/942131.data
 #
@@ -631,7 +634,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?" \
     multiMatch,\
     setvar:'tx.lhs_942131=%{TX.1}',\
     chain"
-    SecRule MATCHED_VAR "!@rx (?i)(?:not\s+(?:r(?:egexp|like)[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)|like[\s'\"`()]*?(?:d\b%{tx.lhs_942131}\b))|(?:is\s+not|![<=>]|<[=>]?|>=?|\^)[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b))" \
+    SecRule MATCHED_VARS "!@rx (?i)(?:not\s+(?:r(?:egexp|like)[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)|like[\s'\"`()]*?(?:d\b%{TX.lhs_942131}\b))|(?:is\s+not|![<=>]|<[=>]?|>=?|\^)[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b))" \
         "setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 

diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml
@@ -17,6 +17,7 @@ tests:
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: POST
             port: 80
+            uri: /post
             data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test"
             version: HTTP/1.0
           output:
@@ -32,7 +33,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=1=1"
+            uri: "/get?a=1=1"
             version: HTTP/1.1
           output:
             log_contains: id "942130"
@@ -47,7 +48,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=11=1"
+            uri: "/get?a=11=1"
             version: HTTP/1.1
           output:
             no_log_contains: id "942130"
@@ -62,7 +63,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=1=11"
+            uri: "/get?a=1=11"
             version: HTTP/1.1
           output:
             no_log_contains: id "942130"
@@ -77,7 +78,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=11!=11"
+            uri: "/get?a=11!=11"
             version: HTTP/1.1
           output:
             no_log_contains: id "942130"
@@ -92,7 +93,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=b,1=1"
+            uri: "/get?a=b,1=1"
             version: HTTP/1.1
           output:
             log_contains: id "942130"
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml
@@ -16,7 +16,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=11!=1"
+            uri: "/get?a=11!=1"
             version: HTTP/1.1
           output:
             log_contains: id "942131"
@@ -31,7 +31,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=1!=11"
+            uri: "/get?a=1!=11"
             version: HTTP/1.1
           output:
             log_contains: id "942131"
@@ -46,7 +46,7 @@ tests:
               User-Agent: OWASP ModSecurity Core Rule Set
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: GET
-            uri: "/?a=11!=11"
+            uri: "/get?a=11!=11"
             version: HTTP/1.1
           output:
             no_log_contains: id "942131"
diff --git a/util/regexp-assemble/data/942130.data b/util/regexp-assemble/data/942130.data
@@ -42,16 +42,16 @@
 ##! 'f' like 'f'
 
 ##! This one will also match the "equal" part of '<=' and '>='
-=[\s'\"`()]*?(?:\b%{tx.lhs_942130}\b)
+=[\s'\"`()]*?(?:\b%{TX.lhs_942130}\b)
 
-<=>[\s'\"`()]*?(?:\b%{tx.lhs_942130}\b)
+<=>[\s'\"`()]*?(?:\b%{TX.lhs_942130}\b)
 
 ##! Like queries allow you to use wilcards: '%'
 
-like[\s'\"`()]*?(?:\b%?%{tx.lhs_942130}%?\b)
-sounds\s+like[\s'\"`()]*?(?:\b%?%{tx.lhs_942130}%?\b)
+like[\s'\"`()]*?(?:\b%?%{TX.lhs_942130}%?\b)
+sounds\s+like[\s'\"`()]*?(?:\b%?%{TX.lhs_942130}%?\b)
 
 ##! String based regexp. These don't use % as wildcard.
-rlike[\s'\"`()]*?(?:\b%{tx.lhs_942130}\b)
-regexp[\s'\"`()]*?(?:\b%{tx.lhs_942130}\b)
+rlike[\s'\"`()]*?(?:\b%{TX.lhs_942130}\b)
+regexp[\s'\"`()]*?(?:\b%{TX.lhs_942130}\b)
 
diff --git a/util/regexp-assemble/data/942131.data b/util/regexp-assemble/data/942131.data
@@ -35,28 +35,31 @@
 
 ##! These expressions try to match the logic using the negative operator,
 ##! so when the operator targets a false operation, the initial match
-##! should *not* be present after the operator, effectively meaning TRUE
+##! should *not* be present after the operator, effectively meaning TRUE.
+##! NOTE: The expressions actually *do* try to match the left hand side of the
+##!       operation. We use the "inversion operator" (`!@rx`) to make the rule
+##!       execute when the expression *doesn't* match.
 ##!
 ##! Examples:
 ##! '1' <= '2'
 ##! 'a' not like 'b'
 ##!
 ##! SQL Comparison Operators: =, !=, <=, >=, <>, <, >, !>, !<, ^
 
-\!=[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-<>[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-<[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-\!<[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
->[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-\!>[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-<=[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
->=[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-\^[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
+\!=[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+<>[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+<[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+\!<[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+>[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+\!>[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+<=[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+>=[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+\^[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
 
-is\s+not[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-not\s+like[\s'\"`()]*?(?:d\b%{tx.lhs_942131}\b)
+is\s+not[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+not\s+like[\s'\"`()]*?(?:d\b%{TX.lhs_942131}\b)
 
 ##! String based regexp.
 
-not\s+rlike[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
-not\s+regexp[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b)
+not\s+rlike[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)
+not\s+regexp[\s'\"`()]*?(?:\b%{TX.lhs_942131}\b)