coreruleset · fzipi · Mar 3, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/regex-assembly/942450.ra b/regex-assembly/942450.ra
@@ -0,0 +1,20 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##! Rule 942450: SQL Bin / Hex Evasion Methods
+##!
+##! Detects SQL hex and binary encoding used to evade detection:
+##!   - 0x hex prefix (e.g., 0xf00d)
+##!   - x'...' hex string literal (MySQL/SQLite)
+##!   - b'...' binary string literal (MySQL)
+
+##!+ i
+
+##! hex encoding: 0x followed by 3+ hex digits (word boundary anchored)
+\b0x[a-f\d]{3,}
+
+##! MySQL/SQLite hex string literal: x'...'
+x'[a-f\d]{3,}'
+
+##! MySQL binary string literal: b'...' (10+ binary digits)
+b'[0-1]{10,}'
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1391,7 +1391,12 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|
 # Hex encoding detection:
 # (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on)
 #
-SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,}|x\'[a-f\d]{3,}\'|b\'[0-1]{10,}\')" \
+# Regular expression generated from regex-assembly/942450.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 942450
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b0x[0-9a-f]{3,}|(?:x'[0-9a-f]{3,}|b'[01]{10,})'" \
     "id:942450,\
     phase:2,\
     block,\