Skip to content

fix(942200): reduce false positives on payloads with comments #4608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fzipi merged 7 commits into from
Apr 18, 2026
+87 −4
Merged

fix(942200): reduce false positives on payloads with comments #4608

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b1bf31f
fix(942200): reduce false positives on payloads with comments
EsadCetiner Apr 7, 2026
4ae7bd9
add known fp test case
EsadCetiner Apr 7, 2026
3cce194
improve test comments
EsadCetiner Apr 7, 2026
fb4e36d
fix: wrong test
EsadCetiner Apr 11, 2026
3ecb160
add known fp test case
EsadCetiner Apr 17, 2026
24e5dbd
fix typo
EsadCetiner Apr 17, 2026
8414b7b
fix typo
EsadCetiner Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions regex-assembly/942200-chain1.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##!^ ^
##!$ $

[a-zA-Z0-9,=_-]+
9 changes: 6 additions & 3 deletions rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -839,7 +839,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?
# Regular expression generated from regex-assembly/942200.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 942200
# crs-toolchain regex update 942200 942200-chain1
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:,[^\)]*?(?:[0-9a-f]+|\([0-9a-f]+\))|\([^,]+(?:,[\s\x0b]*[0-9a-f]+)+\))(?:$|[\"'`](?:$|[^\"'`]+[\"'`])|(?:\r?\n)?\z)|,[^\)]*?[\"'`][^\"'`]+[\"'`]|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\x0b]*?\([\s\x0b]*?space[\s\x0b]*?\(" \
"id:942200,\
Expand All @@ -859,8 +859,11 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST
tag:'capec/1000/152/248/66',\
ver:'OWASP_CRS/4.26.0-dev',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
chain"
SecRule MATCHED_VARS "!@rx ^[,\-0-9=A-Z_a-z]+$" \
"t:none,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
Expand Down
75 changes: 74 additions & 1 deletion tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
meta:
author: "Christian S.J. Peron, Franziska Bühler, azurit"
author: "Christian S.J. Peron, Franziska Bühler, azurit, Esad Cetiner"
rule_id: 942200
tests:
- test_id: 1
Expand Down Expand Up @@ -264,3 +264,76 @@ tests:
output:
log:
no_expect_ids: [942200]
- test_id: 17
desc: |
WordPress: loading wp-admin script, don't match comma
decoded payload: jquery-core,jquery-migrate,utils,zxcvbn-async
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
port: 80
uri: "/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,utils,zxcvbn-async&ver=6.9.4"
version: HTTP/1.1
output:
log:
no_expect_ids: [942200]
- test_id: 18
desc: |
Roundcube: Viewing an email, don't match comma
decoded payload: pdf=1,flash=0,tiff=0,webp=1,pgpmime=0
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
port: 80
uri: "/mail/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=22544&_mbox=INBOX&_framed=1&_action=preview"
version: HTTP/1.1
output:
log:
no_expect_ids: [942200]
- test_id: 19
desc: |
WordPress: Opening an page/post in Gutenberg editor, don't matching comma
decoded payload: id,link,menu_order,parent,title,type
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
port: 80
uri: "/wp-json/wp/v2/pages?context=edit&per_page=100&_fields=id%2Clink%2Cmenu_order%2Cparent%2Ctitle%2Ctype&orderby=menu_order&order=asc&_locale=user"
version: HTTP/1.1
output:
log:
no_expect_ids: [942200]
- test_id: 20
desc: |
Known FP
decoded payload: ABANCA CORPORACION BANCARIA, S.A
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "test=ABANCA%20CORPORACION%20BANCARIA,%20S.A"
version: HTTP/1.1
output:
log:
expect_ids: [942200]
Loading