From 4f7c3cb7ffc62dd5b26525a161632e15a9464e3f Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Wed, 22 Oct 2025 20:47:01 +0200 Subject: [PATCH 01/12] fix(942431): reduce false positive in backoffice --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index fd387a20f5..06e81d3bee 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1785,7 +1785,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w]*?\]\[[\w]*?\]\[[\w]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From d848f8d1045cbf0b92aa2a1f2dd128ce072a60b6 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Wed, 22 Oct 2025 20:51:21 +0200 Subject: [PATCH 02/12] Update 942431.yaml --- .../942431.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml index 89bb3b273b..e38795b1c6 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml @@ -20,3 +20,20 @@ tests: output: log: expect_ids: [942431] + - test_id: 2 + desc: "Avoid blocking on three-dimensional arrays" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "order[filters][date_add][from]=1" + version: HTTP/1.1 + output: + log: + no_expect_ids: [942431] From ed085bd4bf3ed369de2f3dbe8a4fccf350c3e17d Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Wed, 22 Oct 2025 20:51:47 +0200 Subject: [PATCH 03/12] Update 942431.yaml --- .../tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml index e38795b1c6..39c396a948 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml @@ -1,6 +1,6 @@ --- meta: - author: "Christian S.J. Peron, azurit" + author: "Christian S.J. Peron, azurit, touchweb_vincent" rule_id: 942431 tests: - test_id: 1 From ad11787dd67a8c6807a5fc6e15c77d6b077a8be3 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Thu, 23 Oct 2025 06:27:07 +0200 Subject: [PATCH 04/12] Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 06e81d3bee..0cab260be8 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1785,7 +1785,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w]*?\]\[[\w]*?\]\[[\w]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w]+\]\[[\w]+\]\[[\w]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From 59b27462b1981deb9486edfe422d21d6ac231c88 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Thu, 23 Oct 2025 10:04:37 +0200 Subject: [PATCH 05/12] Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 0cab260be8..25210aa7dc 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1785,7 +1785,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w]+\]\[[\w]+\]\[[\w]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]*?\]$/|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]+\]\[[\w\-]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From 7b7d4579eaf17fd13a1a419f627956015579d957 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Thu, 23 Oct 2025 10:27:57 +0200 Subject: [PATCH 06/12] Update 942431.yaml --- .../942431.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml index 39c396a948..61dc664f06 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml @@ -37,3 +37,20 @@ tests: output: log: no_expect_ids: [942431] + - test_id: 3 + desc: "Avoid blocking on bi-dimensional arrays" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "order[add-to-cart][]=1" + version: HTTP/1.1 + output: + log: + no_expect_ids: [942431] From f58f9f3f92252d48c3da1368ab70b3406adf8149 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Sat, 25 Oct 2025 06:45:19 +0200 Subject: [PATCH 07/12] Update lint.yaml From f7abf8a80d51a937092bc6deed11fc68920f9ef5 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:59:12 +0100 Subject: [PATCH 08/12] Update rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com> --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 733ad34926..e13990d4ba 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1784,7 +1784,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]*?\]$/|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]+\]\[[\w\-]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(?:\[[\w-]*?\]){1,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From a672e72f02924a6633ac2912246bd55e30141f9a Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:00:57 +0100 Subject: [PATCH 09/12] Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index e13990d4ba..8d2462485b 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1784,7 +1784,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(?:\[[\w-]*?\]){1,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(?:\[[\w-]*?\]){2,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From 51a43cd82584f8cab48f2fbff149fa97a1c350b3 Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:03:52 +0100 Subject: [PATCH 10/12] Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 8d2462485b..56cdad19c9 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1784,7 +1784,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(?:\[[\w-]*?\]){2,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(?:\[[\w\-]*?\]){2,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From 6c007a92cff0a2de0594b0d8e3dfb32f44e3eb9e Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:37:48 +0100 Subject: [PATCH 11/12] Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 56cdad19c9..bfe04eac29 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1784,7 +1784,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(?:\[[\w\-]*?\]){2,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(\[[\w\-]*?\]){2,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\ From 83fe317df8adddc177b7eacf4560a080f964151e Mon Sep 17 00:00:00 2001 From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:45:06 +0100 Subject: [PATCH 12/12] Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index bfe04eac29..733ad34926 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1784,7 +1784,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|!ARGS_NAMES:/^\w+(\[[\w\-]*?\]){2,3}$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ +SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]*?\]$/|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]+\]\[[\w\-]*?\]$/|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ "id:942431,\ phase:2,\ block,\