This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SQL Injection

Hi,

I hope I am in the right place to ask this question,

we have a new Sophos SG and we put our web servers behind this ytm, now when try to open some of our websites we get the access denied I did look in the WAF logs and can see that when open the website the utm see it is SQL injection so this is false positive should we add the ID to the Modified rules of IPS?

[HTML]/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.121631 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS[:D]. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: --OrBzLzFK8vxQu3- found within ARGS[:D]: 0o3eV0RWOK5Zb2PMS4JXHvsQDag_PrZsc8rB7s8dIVGFcEtQSDXip9Ii5Skao5qgOS1-JChhY--OrBzLzFK8vxQu3-szHugWj-HQr9alNSo1"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]

/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.122468 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\$\$\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\].*?){4,}" at ARGS[:D]. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS[:D]: 0o3eV0RWOK5Zb2PMS4JXHvsQDag_PrZsc8rB7s8dIVGFcEtQSDXip9Ii5Skao5qgOS1-JChhY--OrBzLzFK8vxQu3-szHugWj-HQr9alNSo1"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]

/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.123375 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960035-OWASP_CRS/POLICY/EXT_RESTRICTED-TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 11, SQLi=2, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Last Matched Data: .axd/"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]

/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.123462 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 11, SQLi=2, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]

/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: id="0299" srcip="132.XX.XX.5" localip="62.221.199.184" size="224" user="-" host="132.XX.XX.5" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 11, SQLi=2, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" exceptions="-" time="3330" url="/WebResource.axd" server="edeo.go2mydomain.nl" referer="edeo.go2mydomain.nl/" cookie="ASP.NET_SessionId=cuulemiixtouewp0kc0xzhhw; HASH_ASP.NET_SessionId=0E3C024E05FD173CA4EB3FBFAD085BA895E6AE01" set-cookie="-"

/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.128224 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "edeo.go2mydomain.nl"] [uri "/ScriptResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@0AAABR"] [/HTML]

This thread was automatically locked due to age.

Parents

0 Aresh over 9 years ago

Hi MOd,

Thanks I think things working correctly and we dont see the IDs any more in the logs.

Could you please tel me what is line means? I see this alot for almost all of our websites.

Many thanks in advance


2015:09:08-12:11:38 securitysrv1-1 reverseproxy: [Tue Sep 08 12:11:38.791445 2015] [cookie:warn] [pid 26533:tid 3876608880] [client 130.XX.XX.180:58590] Dropping cookie '__atuvs' from request due to missing/invalid signature, referer: dev.mydomain.nl/.../



2015:09:08-12:11:38 securitysrv1-1 reverseproxy: [Tue Sep 08 12:11:38.791449 2015] [cookie:error] [pid 26533:tid 3876608880] [client 130.XX.XX.180:58590] No signature found, cookie: __utma, referer: dev.mydomain.nl/.../

0 mod2402 over 9 years ago in reply to Aresh


2015:09:08-12:11:38 securitysrv1-1 reverseproxy: [Tue Sep 08 12:11:38.791445 2015] [cookie:warn] [pid 26533:tid 3876608880] [client 130.XX.XX.180:58590] Dropping cookie '__atuvs' from request due to missing/invalid signature, referer: http://dev.mydomain.nl/mdaacollections/?QueryId=a09d4d7d-8904-4c93-998d-8eabe5e922e0 

2015:09:08-12:11:38 securitysrv1-1 reverseproxy: [Tue Sep 08 12:11:38.791449 2015] [cookie:error] [pid 26533:tid 3876608880] [client 130.XX.XX.180:58590] No signature found, cookie: __utma, referer: http://dev.mydomain.nl/mdaacollections/?QueryId=a09d4d7d-8904-4c93-998d-8eabe5e922e0

Hi Aresh,

there is a problem with cookie signing. Don't know why. Maybe your webserver also signing cookies.

You should create an exception for /mdaacollections* (skip cookie signing) or uncheck cookie signing in the firewall profile.

regards
mod

0 Aresh over 9 years ago in reply to mod2402

Thanks mod as Always,

I will first check the server side if there is a cookies signing is enabled or not.
I dont know disabling it on the firewall profile is a good idea.
we get this error for more then one website and web servers.

Aresh
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Aresh over 9 years ago in reply to mod2402

Thanks mod as Always,

I will first check the server side if there is a cookies signing is enabled or not.
I dont know disabling it on the firewall profile is a good idea.
we get this error for more then one website and web servers.

Aresh
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data