search

client9 / libinjection

SQL / SQLI tokenizer parser analyzer
Other
994 stars 274 forks source link

False Positive Numeric number followed by double hyphen 9--aB7mnS7GdA3IQ #161

Open shekharcloudengg123 opened 1 year ago

shekharcloudengg123 commented 1 year ago

Mod security blocks a valid request having 9--aB7mnS7GdA3IQ

ModSecurity: Access denied with code 403 (phase 2). detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS:json.Payload.DataList.array_0.messageId: 9--aP6mnZ21eK1mPQRA6IR"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"]

yusdirman commented 10 months ago

I am having the same issue.

ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec│x0 a<│/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] │d\ x0│[id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [d│ad di│ata "Matched Data: 1c found within REQUEST_COOKIES:_dformulary_session: 143/cPXR│ab le│ino5TZio34qdNa6u5aHLx5M0H73stDiOslGSSfaVfWSKgH4F3MKWZE1bSEodrvdvKpRXb4NTCjh11g1A│ C hr│... (203 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [mat urity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platf orm-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec /1000/152/248/66"] [tag "PCI/6.5.2"]

Sico93 commented 4 months ago

I'm having the same Issue. Some Users add double hyphens to Phone Numbers by accident.

No big Issue for me, but still its Present: ` ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsecurity.d/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS:editContact:phoneNr:input: 063261234--0"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.56.37"] [uri "/kde/contacts.xhtml"] [unique_id "171394181187.536843"] [ref "v2773,12"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter5' against variable TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value:5' ) [file "/etc/nginx/modsecurity.d/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.56.37"] [uri "/kde/contacts.xhtml"] [unique_id "171394181187.536843"] [ref ""] `