False positive on Cyrillic input 942120 (PL2)

[lifeforms]

This is a different rule from #794 although the mechanism is comparable.

Input: name=%D1%81%D0%B5%D1%80%D0%BF+%D0%B8+%D0%BC%D0%BE%D0%BB%D0%BE%D1%82

Decoded: серп и молот

Result: Matched Data: <> found within ARGS:name: A5@? 8 <>;>B

Log: Message: Warning. Pattern match "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|\\bxor\\b|\\brlike\\b|\\bregexp\\b|\\bisnull\\b)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:\\bxor\\b|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+ ..." at ARGS:name. [file "/usr/local/etc/apache24/security2/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "526"] [id "942120"] [rev "3"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: <> found within ARGS:name: A5@? 8 <>;>B"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"]

The problem is %D0%BC%D0%BE getting decoded to <>.

[dune73]

I am not able to reproduce this.

curl localhost -d 'name=%D1%81%D0%B5%D1%80%D0%BF+%D0%B8+%D0%BC%D0%BE%D0%BB%D0%BE%D1%82' --trace-ascii -
== Info: Rebuilt URL to: localhost/
== Info:   Trying 127.0.0.1...
== Info: Connected to localhost (127.0.0.1) port 80 (#0)
=> Send header, 143 bytes (0x8f)
0000: POST / HTTP/1.1
0011: Host: localhost
0022: User-Agent: curl/7.50.1
003b: Accept: */*
0048: Content-Length: 67
005c: Content-Type: application/x-www-form-urlencoded
008d: 
=> Send data, 67 bytes (0x43)
0000: name=%D1%81%D0%B5%D1%80%D0%BF+%D0%B8+%D0%BC%D0%BE%D0%BB%D0%BE%D1
0040: %82
== Info: upload completely sent off: 67 out of 67 bytes
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
<= Recv header, 37 bytes (0x25)
0000: Date: Tue, 27 Jun 2017 06:30:11 GMT
<= Recv header, 16 bytes (0x10)
0000: Server: Apache
<= Recv header, 46 bytes (0x2e)
0000: Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
<= Recv header, 26 bytes (0x1a)
0000: ETag: "2d-432a5e4a73a80"
<= Recv header, 22 bytes (0x16)
0000: Accept-Ranges: bytes
<= Recv header, 20 bytes (0x14)
0000: Content-Length: 45
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 2 bytes (0x2)
0000: 
<= Recv data, 45 bytes (0x2d)
0000: <html><body><h1>It works!</h1></body></html>.
<html><body><h1>It works!</h1></body></html>

No alert written.

Can you please provide the full call?

[lifeforms]

Are you running in PL2? curl -v 'http://localhost/?name=%D1%81%D0%B5%D1%80%D0%BF+%D0%B8+%D0%BC%D0%BE%D0%BB%D0%BE%D1%82' should do it.

[dune73]

Confirm.

Believe it or not, I managed to lose my 942 file without noticing it. I'm such a n00b.

Full debug log:

[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][5] Rule 563e2ae077a8: SecRule "ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|\\bxor\\b|\\brlike\\b|\\bregexp\\b|\\bisnull\\b)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:\\bxor\\b|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" "phase:request,log,auditlog,rev:3,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:8,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:942120,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:CRITICAL,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-sqli,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,tag:paranoia-level/2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{match
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Expanded "ARGS_NAMES|ARGS|XML:/*" to "ARGS_NAMES:name|ARGS:name".
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] T (0) Utf8toUnicode: "name"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] T (0) urlDecodeUni: "name"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Transformation completed in 3 usec.
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Executing operator "rx" with param "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|\\bxor\\b|\\brlike\\b|\\bregexp\\b|\\bisnull\\b)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:\\bxor\\b|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" against ARGS_NAMES:name.
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Target value: "name"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Operator completed in 2 usec.
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] T (0) Utf8toUnicode: "%u0441%u0435%u0440%u043f %u0438 %u043c%u043e%u043b%u043e%u0442"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] T (0) urlDecodeUni: "A5@? 8 <>;>B"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Transformation completed in 3 usec.
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Executing operator "rx" with param "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|\\bxor\\b|\\brlike\\b|\\bregexp\\b|\\bisnull\\b)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:\\bxor\\b|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" against ARGS:name.
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Target value: "A5@? 8 <>;>B"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Added regex subexpression to TX.0: <>
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Added regex subexpression to TX.1: <>
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Operator completed in 10 usec.
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Setting variable: tx.msg=%{rule.msg}
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{rule.msg} to: SQL Injection Attack: SQL Operator Detected
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Set variable "tx.msg" to "SQL Injection Attack: SQL Operator Detected".
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Setting variable: tx.sql_injection_score=+%{tx.critical_anomaly_score}
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Recorded original collection variable: tx.sql_injection_score = "0"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{tx.critical_anomaly_score} to: 5
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Relative change: sql_injection_score=0+5
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Set variable "tx.sql_injection_score" to "5".
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Setting variable: tx.anomaly_score=+%{tx.critical_anomaly_score}
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Recorded original collection variable: tx.anomaly_score = "0"
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{tx.critical_anomaly_score} to: 5
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Relative change: anomaly_score=0+5
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Set variable "tx.anomaly_score" to "5".
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Setting variable: tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{rule.id} to: 942120
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{matched_var_name} to: ARGS:name
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{tx.0} to: <>
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Set variable "tx.942120-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:name" to "<>".
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{TX.0} to: <>
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{MATCHED_VAR_NAME} to: ARGS:name
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][9] Resolved macro %{MATCHED_VAR} to: A5@? 8 <>;>B
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][2] Warning. Pattern match "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|\\bxor\\b|\\brlike\\b|\\bregexp\\b|\\bisnull\\b)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:\\bxor\\b|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+ ..." at ARGS:name. [file "/home/dune73/data/git/crs-official/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "526"] [id "942120"] [rev "3"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: <> found within ARGS:name: A5@? 8 <>;>B"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"]
[27/Jun/2017:09:51:58 +0200] [localhost/sid#563e2b75ec90][rid#7f6b90002970][/][4] Rule returned 1.

[spartantri]

Hi @lifeforms, @dune73 is anyone doing something to fix this? any ideas? I have a few cyrilic sites and this is a very welcome fix.

[dune73]

No, not really. It's also part of a bigger problem with cyrilic character sets.

So maybe a quick fix here and somebody making the bigger problem his/her problem.

[spartantri]

I guess we should close this issue as at the CRS level what can be done is a user configuration to white-list the argument (e.g. SecRuleUpdateTargetById 942120 !ARGS:name) or are we planning to actually have some sort of workaround to check if the possibly conflicting characters in the cyrillic alphabet are present to then do a run-time bypass of the known offending rules?
If we go for the later, then a frequency analysis on the text could be implemented as a complementary script but I think this analysis is availabile for english language only (for freq.py)

[github-actions]

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

[dune73]

Decision during the CRS project chat on March 2, 2020: This has been stale far too long. We are closing this - let the bot close it and try to find somebody working on Unicode support in general and not limited to one isolated finding.

#1683 (comment)