False-Positive with fingerprint sos (OWASP CoreRuleSet Rule 942100)

[ChrLau]

Hi,

we are currently running mod_security2 with the OWASP CoreRuleSet (CRS) in version 3.3.4. And we get false-positive matches because of a user-defined XML-Filter for a GIS application. It's somehow detected as an SQL-injection attack.

The full GET-Request from the ModSecurity AuditLog is as follows:

--22b76f48-B--
GET /ogc-free-data.ows?REQUEST=GetFeature&SERVICE=WFS&MAXFEATURES=1001&VERSION=1.1.0&TYPENAME=flst&srsName=EPSG:25832&FILTER=%3CFilter%3E%3CAnd%3E%3CPropertyIsEqualTo+escape%3D%27%2F%27%3E%3CPropertyName%3EFS_GKNR%3C%2FPropertyName%3E%3CLiteral%3E2730%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3CPropertyIsEqualTo+escape%3D%27%2F%27%3E%3CPropertyName%3EGK_GKBEZ%3C%2FPropertyName%3E%3CLiteral%3ELingelbach%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3CPropertyIsEqualTo+escape%3D%27%2F%27%3E%3CPropertyName%3EFS_FLNR%3C%2FPropertyName%3E%3CLiteral%3E4%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3CPropertyIsEqualTo+escape%3D%27%2F%27%3E%3CPropertyName%3EFS_FSZ%3C%2FPropertyName%3E%3CLiteral%3E1%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FAnd%3E%3C%2FFilter%3E HTTP/1.1
Content-Type: application/xml; charset=ISO-8859-1
User-Agent: Jakarta Commons-HttpClient/3.1
Host: host.tld

And the ModSecurity message is:

Message: Warning. detected SQLi using libinjection with fingerprint 'sos' [file "/etc/apache2/mod_security2.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: sos found within ARGS:FILTER: <Filter><And><PropertyIsEqualTo escape='/'><PropertyName>FS_GKNR</PropertyName><Literal>2730</Literal></PropertyIsEqualTo><PropertyIsEqualTo escape='/'><PropertyName>GK_GKBEZ</PropertyName><Literal>Lingelbach</Literal></PropertyIsEqualTo><PropertyIsEqualTo escape='/'><PropertyName>FS_FLNR</PropertyName><Literal>4</Literal></PropertyIsEqualTo><PropertyIsEqualTo escape='/'><PropertyName>FS_FSZ</PropertyName><Literal>1</Literal></PropertyIsEqualTo></And></Filter>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"]

fingerprints2sqli.py says the fingerprint sos equals the following string:

user@host:~/git/libinjection/src (main)$ ./fingerprints2sqli.py | grep '^sos \"'
sos "1" * "1"

But the string "1" * "1" isn't found in the GET-Request.

Switching to the v3.10.0 tag, compiling libinjection_sqli.c with gcc -Wall -Wextra example1.c libinjection_sqli.c and running the decoded Filter from the GET-Request against it, indeed returns: sqli with fingerprint of 'sos'

user@host:~/git/libinjection/src (main)$ git checkout v3.10.0
user@host:~/git/libinjection/src ((v3.10.0))$ gcc -Wall -Wextra example1.c libinjection_sqli.c
user@host:~/git/libinjection/src ((v3.10.0))$ ./a.out "<Filter><And><PropertyIsEqualTo escape='/'><PropertyName>FS_GKNR</PropertyName><Literal>2730</Literal></PropertyIsEqualTo><PropertyIsEqualTo escape='/'><Pro
pertyName>GK_GKBEZ</PropertyName><Literal>Lingelbach</Literal></PropertyIsEqualTo><PropertyIsEqualTo escape='/'><PropertyName>FS_FLNR</PropertyName><Literal>4</Literal></PropertyIsEqualTo><PropertyIsEqualTo escape='/'><PropertyName>FS_FS
Z</PropertyName><Literal>1</Literal></PropertyIsEqualTo></And></Filter>"
sqli with fingerprint of 'sos'

Currently I defined an exemption rule for the affected URIs. But it would be great if this could be fixed in libinjection.

[dankegel]

fingerprints2sqli.py is not really useful for users (it's for demiwizards).

But your example does look like a real false positive in libinjection :-(

[fzipi]

To my understanding, fingerprint sos means that, based on this enum, it has detected a STRING OPERATOR STRING sequence.