-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Query params not included in ARGS_NAMES|ARGS in GET request at phase:2 evaluation #2541
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Comments
Are you sure there isn't any exception? I can't find the rule 942270 all in your attached debug.log - it should be at there. I tried your request (with
with this request:
See the last line in log snippet ( |
Root cause is found. We werent evaluating phase 2 and 4 unconditionally. Will provide an image today for this |
Thanks. Your simple response got me thinking in the right direction. The issue was that we werent running processing for phase 2 unconditionally. Now am able hit it. Thanks for the help. Will close the ticket. |
Not sure if this is a bug or a CRS rule limitation.
With the CRS rule ID 942270, any GET requests with SQL injections params in them arent detected. Assumption here is ARGS|ARGS_NAMES should contains query params as well (is it still true for libmodsecurity 3.x?).
However, for GET requests this rules doesnt get hit unless phase level is changed to "phase:1".
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.?select.?from" \
"id:942270,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
.....
Output of:
undetected.Debuglogs.txt
[None as nothing was triggered]
[None]
Steps to reproduce the behavior:
Using Postman to generate a GET request to URL : http://j*********:8000/rest/products/search?q=apple'))UNION%20SELECT%20username,password,email,4,5,6,7,8,9%20FROM%20USERS--
Expected behavior
Shouldn't the rule evaluation happen in phase 2 as well against GET query ARGS?
**Server **
Rule Set (please complete the following information):
CRS rule set 3.3v
The text was updated successfully, but these errors were encountered: