dangquocthai / owaspbwa

Automatically exported from code.google.com/p/owaspbwa
0 stars 0 forks source link

SQL Keyword Anomaly Scoring #61

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
#
# SQL Keyword Anomaly Scoring:
I am having issues fine tuning all SQL rules for a COTS product.  This relates 
to the ID 981301 - 981316 with 981317.
I get a 403 from 918317 related to the previous SecRules because of the keyword 
count trigger.
Would the keyword in 301-316 be triggered by variables names having SQL 
keywords in the var name, such as:
 "search.selectedJobFamily.value" (981301 - select)...
I have two variables with the word select and one with the keyword from.  The 
audit log shows 301 and 305 as the hits and the kewords are found in the var 
names.

Also,
 I have two variables where users can enter an entire resume, so most, if not all of the SQL keywords in the SQL rules 301-316 will get hit!  

I have seen the use SecRuleUpdateById in conjunction of !ARGS:<var> used, but 
301-316 uses TX:SQLI….. How do I use the SecRuleUpdateById with TX vs ARGS, 
and or 
what is the best way to allow all words for these two variables and not set off 
the SQL triggers.

Thank you
Steve

Original issue reported on code.google.com by scan...@jpl.nasa.gov on 20 Jul 2012 at 4:43

GoogleCodeExporter commented 9 years ago
I believe that you are in the wrong place.  This issue tracker is for the OWASP 
Broken Web Applications project.  It sounds like your question is about 
ModSecurity (or perhaps a specific rule set).  If so, please visit 
http://www.modsecurity.org/ to find resources.

Original comment by chuck.f....@gmail.com on 24 Jul 2012 at 4:40