Rule 942230: False positive

[Rolandwalraven]

Type of Issue

Incorrect blocking (false positive)

Description

o.havingu@gmail.com is detected as conditional SQL injection attempt

Email address is fictional

Message: Warning. Pattern match "(?i:[\\s()]case\\s*?\\(|\\)\\s*?like\\s*?\\(|having\\s*?[^\\s]+\\s*?[^\\w\\s]|if\\s?\\([\\d\\w]\\s*?[=<>~])" at ARGS:email. [file "/etc/modsecurity/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "227"] [id "942230"] [msg "Detects conditional SQL injection attempts"] [data "Matched Data: havingu@gmail. found within ARGS:email: o.havingu@gmail.com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

Your Environment

• CRS version: 3.1.0
• ModSecurity version: 2.9.2-1
• Web Server and version: Apache/2.4.29 (Ubuntu)

Confirmation

[x ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

[spartantri]

we can add \b before spaces to reduce false positives and maybe before the keywords
(?i:[\s()]case\b\s*?\(|\)\s*?like\b\s*?\(|having\b\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])
we will have to check if this doesn't introduce bad side effects.

[Rolandwalraven]

we can add \b before spaces to reduce false positives and maybe before the keywords
(?i:[\s()]case\b\s*?\(|\)\s*?like\b\s*?\(|having\b\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])
we will have to check if this doesn't introduce bad side effects.

With the alternative regex from @spartantri i saw a FP today.

[data "Matched Data: having-head-for-oneblade-pro-trimmer-422203626171-qp210- found within ARGS:url: /philips-shaving-head-for-oneblade-pro-trimmer-422203626171-qp210-50"]