libinjection icon indicating copy to clipboard operation
libinjection copied to clipboard
verified publisher icon client9

False Positive Numeric number followed by double hyphen 9--aB7mnS7GdA3IQ

Open shekharcloudengg123 opened this issue 3 years ago • 2 comments

Mod security blocks a valid request having 9--aB7mnS7GdA3IQ

ModSecurity: Access denied with code 403 (phase 2). detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS:json.Payload.DataList.array_0.messageId: 9--aP6mnZ21eK1mPQRA6IR"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"]

shekharcloudengg123 avatar Jan 11 '23 14:01 shekharcloudengg123

I am having the same issue.

ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec│x0 a<│/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] │d\ x0│[id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [d│ad di│ata "Matched Data: 1c found within REQUEST_COOKIES:_dformulary_session: 143/cPXR│ab le│ino5TZio34qdNa6u5aHLx5M0H73stDiOslGSSfaVfWSKgH4F3MKWZE1bSEodrvdvKpRXb4NTCjh11g1A│ C hr│... (203 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [mat urity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platf orm-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec /1000/152/248/66"] [tag "PCI/6.5.2"]

yusdirman avatar Oct 18 '23 06:10 yusdirman

I'm having the same Issue. Some Users add double hyphens to Phone Numbers by accident.

No big Issue for me, but still its Present: ` ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsecurity.d/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS:editContact:phoneNr:input: 063261234--0"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.56.37"] [uri "/kde/contacts.xhtml"] [unique_id "171394181187.536843"] [ref "v2773,12"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: 5' ) [file "/etc/nginx/modsecurity.d/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.56.37"] [uri "/kde/contacts.xhtml"] [unique_id "171394181187.536843"] [ref ""] `

Sico93 avatar Apr 24 '24 08:04 Sico93