-
-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New rule 942550 (PL1) JSON in SQL #3055
Conversation
This is a draft, I'm working to a more stricter version for SQLite and PostgreSQL in order to avoid FPs |
@theMiddleBlue We don't seem to match against this example, which appears to be path-based (original example screenshot):
We don't catch it when the attack is in the path, but we do catch it when it's in
|
thanks @RedXanadu ! |
I've changed the SQLite regex in order to avoid FPs. This rule could probably be bypassed by using other SQL engine functions to transform the string parameters. But other CRS rules should catch it. |
I can remove all comment syntaxes on tests, it should fix the test problem... |
Probably using the |
ok this should cover all test cases, including the payload from @RedXanadu |
Yay: tested and confirmed that it now catches the path-based payload from above 😄 Imperva have published some more example payloads. Some of them we catch at PL 1, some of them we don't. Are these concerning? Do we need to catch all of these variations, or will we be here forever? Either way, here are the results I got: 1
Result: per_pl=0-36-11-13 2
Result: per_pl=0-31-11-13 3
Result: per_pl=0-21-19-26 4 ✔️
Result: per_pl=10-36-11-13 (942550 matches) 5
Result: per_pl=0-36-16-13 6 ✔️
Result: per_pl=10-36-11-13 (942550 matches) 7 ✔️
Result: per_pl=10-46-11-13 (942550 matches) 8 ✔️
Result: per_pl=10-41-11-13 (942550 matches) |
oh wow, thanks @RedXanadu this is really useful! I'm going to see if I can integrate all variations |
added new payloads and I removed useless parts from the ra file, so the regex should be less chaotic. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work!
tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml
Outdated
Show resolved
Hide resolved
a possible false positive could be an
something like:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@theMiddleBlue This is an amazing PR. You nailed it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirmed that all of the Imperva examples are now caught at PL 1 by this new rule.
Seriously cool work @theMiddleBlue! And such a fast turn around! Plus, the regex-assemble file for this new rule is elegant and easy to read: a great example to use 🚀
Thanks a lot! |
This PR contains a new rule at PL1 that tries to catch SQL in JSON payloads not covered at PL1. For more information about the bypass technique, please refer to https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf