False Positive with Rule 942100 when matching text "大阪大"

10 views
Skip to first unread message

kkondo

unread,
Oct 20, 2025, 8:36:30 PM (2 days ago) Oct 20
to OWASP CRS project

Hello,

I encountered a false positive with CRS rule 942100. The rule flagged the text "大阪大" as an SQL Injection attempt.

After investigating, it seems the issue might be related to the order of transformations applied in this rule. Currently, rule 942100 uses the following transformations:
t:none,t:utf8Unicode,t:urlDecodeUni,t:removeNulls

When I enabled detailed logging, I noticed:

  • After t:utf8Unicode, libinjection does not detect an attack.

  • However, after t:urlDecodeUni, the input is transformed into something like '*' and then libinjection detects it as an attack.

Based on this, I believe the false positive could be avoided by changing the transformation order to:
t:none,t:removeNulls,t:urlDecodeUni,t:utf8Unicode

Has anyone experienced similar issues? Would adjusting the transformation order be an acceptable solution, or is there a better approach?

Thank you for your guidance.

Reply all
Reply to author
Forward
0 new messages