On Tue, Mar 10, 2020 at 04:55:15PM -0700, john smith wrote:
> Well since i got not replies i investigated this myself and eventually
> found a bug not related to ModSecurity or the rule set.
> This is now resolved.
Thanks for letting us know. I was puzzled by your problem, that's why I did
not respond.
Cheers,
Christian
>
> On Sunday, March 1, 2020 at 4:32:31 PM UTC+2, john smith wrote:
> >
> > Hi,
> >
> > I'm new to modsecurity, still trying to understand how things work.
> > For example i have the latest version running on Apache and after trying
> > some SQLI and XSS cases i don't see anything from modsecurity although
> > apache gives a 400 error.
> > Is this because none of the rules in REQUEST-942-APPLICATION-ATTACK-SQLI
> > matched or because of apache. how does that work?
> >
> > I'm sharing my test cases:
> >
> > *SQLI:*
> >
> > select *
> >
> > tom' or '1'='1
> >
> > DROP sampletable;--
> >
> > 10; DROP TABLE members /*
> >
> > 11223344) UNION SELECT 1,'2',NULL,NULL WHERE 1=2 –-
> >
> > '%/_%' ESCAPE '/';
> >
> > '''|| usr ||' AND itemname = ''' || itm || '''';
> >
> >
> > *XSS*
> >
> > <SCRIPT SRC=
http://xss.rocks/xss.js></SCRIPT>
> >
> > <IMG
> > SRC=javascript:alert('XSS')>
> >
> >
> >
> > Usually i get a 403 from apache and something like this as an error
> >
> > [Sun Mar 01 14:30:58.736707 2020] [:error] [pid 43:tid 140175342544640]
> > [client
172.21.0.4:54110] [client 172.21.0.4] ModSecurity: Warning.
> > Operator GE matched 5 at TX:inbound_anomaly_score. [file
> > "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
> > "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> > Score: 15 - SQLI=8,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0):
> > individual paranoia level scores: 0, 10, 0, 5"] [tag "event-correlation"]
> > [hostname "modsec"] [uri "/"] [unique_id "XlvHIvjgb4WImw-7uPIKVwAAAEU"]
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit
https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/a24bc1d6-af98-4717-b6fd-001bca8419ca%40owasp.org.