Description
Hello,
I'm facing some false positive issue with rule id 942200 (Detects MySQL comment-/space-obfuscated injections and backtick termination).
If the value is a valid postal address like "999, rue d'Arlon", the regular expression is matched.
I isolated the RegExp part that cause the detection:
How to reproduce the misbehavior
curl -X POST -H "X-Format-Output: txt-matched-rules" -H "x-crs-paranoia-level: 2" https://sandbox.coreruleset.org/ -d "address=999, rue d'Arlon"
Logs
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=5, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
Your Environment
- Azure Application Gateway
- Web Application Firewall (WAF Policy)
- Managed Ruleset: OWASP 3.2
Confirmation
Description
Hello,
I'm facing some false positive issue with rule id 942200 (Detects MySQL comment-/space-obfuscated injections and backtick termination).
If the value is a valid postal address like "999, rue d'Arlon", the regular expression is matched.
I isolated the RegExp part that cause the detection:
How to reproduce the misbehavior
curl -X POST -H "X-Format-Output: txt-matched-rules" -H "x-crs-paranoia-level: 2" https://sandbox.coreruleset.org/ -d "address=999, rue d'Arlon"Logs
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=5, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
Your Environment
Confirmation
passwords, domain names) from any logs posted.