Rule 942450 (SQL Hex Encoding Identified) too lax?

[lifeforms]

Rule 942450 (SQL Hex Encoding Identified; PL2) gives FPs in alphanumeric strings that contain the substring 0x. Examples:

N0X5d1

bKjyGu1pGxza4NGsxfqxoSTPA6acPA12pshj0xddfda reported in #832

Could we be a little less annoying and not fire if there is a letter before the 0x substring? This should not diminish detecting actual attacks.

[dune73]

This rule is indeed mighty aggressive. But I am not very experienced with exploits leveraging hex encoding and how the payload looks. Right now we trigger on anything but numbers before the 0x. So you are effectively saying the [a-Z] should be added to that pair of bracket.

[lifeforms]

I've little experience with this too, maybe someone else can chime in?

If I look at this example: http://www.pwntester.com/blog/2014/01/15/hackyou2014-web100-write-up/ it would suggest that the 0x... would need to be on its own, well at least in this case, it might not be the only way to use SQL hex literals.

Interestingly the regexp already contains (?:\A|[^\d])0x... so the 0x wants to be at the start of the string or at least not with a digit in front of the 0x. So something like 10x... does not match but x0x... annoyingly does.

My gut feeling says that we could get away with \b0x too and solve multiple annoying FP with this rule...

As it's PL2, it's not the highest prio however.

[dune73]

@pash7ka reports false positives with ethereum addresses and transactions with this rule too in issue #951 (closed in favor of this issue here).

Ethereum addresses (like 0xc2d7cf95645d33006175b78989035c7c9061d3f9 ) 
Transaction hashes (like 0x653351a883a4a82512dbaceadd9d9ef266658547829a0d30d7aaf26647a144cb )

[ivanbaldo]

FWIW it happens with Laravel too in REQUEST_COOKIES:XSRF-TOKEN.
It continuosly generates random XSRF-TOKEN cookies like this one (which matches):
XSRF-TOKEN=eyJpdiI6ImI4QUpCdUJ0d3NsXC8wZHpLbWhFdlZ3PT0iLCJ2YWx1ZSI6InYxNVdacVh3elg3dW9wOVwvZ2ZndnZCaldMZ2kwUkxISExIRTBVNmY0Q3FRYWRzY1lYY1Q0XC9EbGZQNHBvckl0YXRYNjFaazBZYUx5eW5WVWFpOFNVQ0E9PSIsIm1hYyI6IjcyMmZkZGIzOTU1MDI2Y2JjOWY0OTk0YWY0NDAwMmM5MGY1OTQzYzIxNWY3MWYwZmFiZGJmNGZjMzQyNzI5ODcifQ%3D%3D
Maybe split the rule in two, one for PL2 that matches only if it starts with 0x and another for PL4 like the current one.

[ivanbaldo]

Ok, now I seen it in REQUEST_COOKIES:laravel_session too, which makes sense, since I guess they use the same algorithm to generate it.

[github-actions]

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

[dune73]

Decision during the CRS project chat on March 2, 2020: @lifeforms will take this on.

#1683 (comment)

[lifeforms]

The great thing is that @wjwoodson already fixed this in #1662, so this issue can be closed!