SQL Injection bypasses ModeSec rule

Forum Moderators: phranque

Message Too Old, No Replies

SQL Injection bypasses ModeSec rule

afridy

5:28 am on May 28, 2013 (gmt 0)

Hello,

i have installed owasp ruleset last week in to our vps. one of my friend tested a website we have hosted and told that our server is still valnarable. He issued the following sql statement and simply it worked.

a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

OWASP rule was in action and shown 406.

a'/**//*!unIoN*//**//*!SelEct*//**/1,/*!table_name*/,database()/**/from/**/information_schema.tables/**/WheRe/**/tablE_SchEma=daTabase()--+-

rule failed. sql statment successfully executed.

Any body can help me with this?

Dideved

6:48 am on May 28, 2013 (gmt 0)

I took a look at the OWASP ModSecurity SQL injection rules. It appears that it looks for and blocks suspicious strings. But this seems ineffective for two reasons:

1) Not every suspicious string is an attack. What if we were on a forum discussing SQL? The ModSecurity rules may very well end up blocking legitimate content. Even a simple phrase such as "select group having order" could be considered suspicious by those rules.

And 2) we can't possibly think up each and every combination of suspicious strings, and if you know what's considered suspicious, then it's super easy to beat.

All things considered, this seems like flimsy protection that will generate an awful lot of false positives. I wouldn't use it. It's the responsibility of your application to escape or bind any user provided content. Escaping or binding is the only way to achieve foolproof protection with zero false positives.

afridy

7:15 am on May 28, 2013 (gmt 0)

Thanks Dideved,
Yes understood.