-
-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQLi using set var at PL2 #1793
SQLi using set var at PL2 #1793
Conversation
Looked a bit into this rule and ran it on some trafic: it doesn't trigger too much but still raise a few false positives on passwords. We're also seeing a few false positives on semi-formatted data from the POST body but overall, it looks fine on our end. |
Sorry, I can't understand this statement. Can you attach an example? A password should be a free input text and if a user chooses a password like
Please, if you can share them it would be really helpful to improve this rule.
Yes, because (IMO) |
We run it a bit further and it actually started to trigger on scans :D Appear to overlap slightly with 942190, but it may be because it was a complex payload.
The actual exemples are redacted, but not too hard to imagine: you just need to following expression somewhere in the password:
I'm seeing payloads like this, although not sure where they come from:
Thanks a lot for the rationale, that makes a ton of sense! Could you add it in the rule's header to explain where this design came from? Will likely be useful in the future! |
Yes but this is not only related to this rule. It is true for all CRS libinjection rules or XSS rules when a random string or base64 encoded string is provided. For example |
I agree, but when possible we should try to minimize it. My point isn't to be completely resilient from false positives in free text (I agree it'll be tricky) but to contextualize patterns a bit when there are low hanging fruits. Is your point that we should keep the patterns as broad as possible, or that what I'm identifying as a low hanging fruit (looking for a |
I'm a bit late to the show, but here is the summary of the discussion about this PR during the project chat in July 2020. "We want better documentation, better / more tests and the rule stays in PL2 kindergarden until it is proven to have only very few FPs. It can still be in PL1 for 3.4, but per default it goes to PL2." |
@theMiddleBlue : Could you shift this to PL2 please. We'll merge as soon this is done. |
TODO from meeting:
|
rule moved to PL2 |
This was supposed to be merged after the November meeting. Time to do this. Thank you @theMiddleBlue. |
Referring to #1727 this new rule tries to block SQLi payload that uses MySQL set variable syntax at PL1.