0

So I was able to wrangle several other ModSecurity rules giving false positives for other situations but I'm having issues with this specific ruleset. When customers submit a form with a double quotation the ruleset is activated and an access denied code 403 is spit out.

The last entry that was denied was Need a price on cabinet style 42”

The rule set that was triggered was SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| !REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´’‘;]+|[\"'`´’‘;]+$)"

The error in the logs showed up as ModSecurity: Access denied with code 403 (phase 2). Pattern match "(^[\\"'`\\xb4\\x92\\x91;]+|[\\"'`\\xb4\\x92\\x91;]+$)"

With such a simple phrase I'm not sure why the rule set is being triggered. I was reading in some places that it could be due to the encoding utilized. Any suggestions or help would be appreciated.

user1815581
  • 13
  • 3

1 Answers1

0

It's about SQL Injection.

SQL injection occurs when strings can be manipulated in a database query. The attacker often introduces it using a single quote because this would close a string like

SELECT * from products WHERE name='$variable'

to

SELECT * from products WHERE name='->' OR '1'='1' -- <-'

(->...<- indicating the introduced input)

This attack works also with double quotes if the query is using it (cf https://chartio.com/learn/sql-tips/single-double-quote-and-backticks-in-mysql-queries/).

To test if SQL Injection is possible. The attacker often tries different characters. And this is why this rule pops up.

That means the general file of ModSecuriy what's of interest for you is:

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

And the rule is:

SQL Injection Attack: Common Injection Testing Detected id:'981318'

The process you can do can be similar than in ModSecurity: Access denied with code 403:

  • First determine which requests are false positives and then
  • switch them off, for example using SecRuleRemoveByID.

In this case for example

<Directory /var/www/yourpath>
  SecRuleRemoveById 981318
</Directory>
secf00tprint
  • 553
  • 5
  • 15