libinjection icon indicating copy to clipboard operation
libinjection copied to clipboard
verified publisher icon client9

942100: False positive

Open osamamaruf opened this issue 6 years ago • 1 comments

False Positive

Mod security using libinjection blocks a valid request having [0: 006--u-m4YIaIyga-cq8yK] as payload.

Description

ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS:json.array_0: 006--u-m4YIaIyga-cq8yK"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [hostname "XXXXX"] [uri "/some/url"] [unique_id "XXXXX"] [ref "XXX"]
ModSecurity: Access denied with code 302 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "44"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "XXXXX"] [uri "/some/url"] [unique_id "XXXXX"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "65"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "XXXXX"] [uri "/some/url"] [unique_id "XXXXX"] [ref ""]

Your Environment

  • CRS version (v3.0.0)
  • ModSecurity version (3.0.2)
  • Web Server and version (Nginx 1.15.9)

From: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1416

osamamaruf avatar May 17 '19 20:05 osamamaruf

@osamamaruf Is this resolved?

I'm also facing the same issue. Please let me know if you found any solution for this.

https://github.com/client9/libinjection/issues/161

Thanks,

shekharcloudengg123 avatar Jan 11 '23 14:01 shekharcloudengg123