coreruleset · fzipi · Dec 14, 2022 · Dec 12, 2022 · Dec 12, 2022 · Dec 13, 2022
diff --git a/regex-assembly/942550.ra b/regex-assembly/942550.ra
@@ -0,0 +1,30 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##! Referring to https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
+##! this rule tries to match the following payloads:
+##! 
+##! PostgreSQL: '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb
+##! PostgreSQL: '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb
+##! PostgreSQL: '{"b":2}'::jsonb @ '{"a":1, "b":2}'::jsonb
+##! PostgreSQL: '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb
+##! PostgreSQL: '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb
+##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7
+##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7
+##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' < '$.c[2].f' = 7
+##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' > '$.c[2].f' = 7
+##! MySQL: JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan'
+
+##!> define quotes [\"'`]
+##!> define operators (?:@>|<@|\?|\?\||\?&|#>|#>>|->>|<|>|->|<-)
+##!> define json_ending_brackets [\]\}]
+##!> define json_starting_brackets [\[\{]
+
+##!> assemble
+  ##! https://regex101.com/r/mzG5Fg/1
+  {{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}.*(::.*jsonb?)?.*{{operators}}
+  {{operators}}{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}
+
+  ##! example: SELECT id FROM users WHERE id=JsoN_EXTraCT/**/(/**/'  {"a":1}  '/**/,/**/' $.a '/**/);
+  json_extract.*\(.*\)
+##!<
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -559,6 +559,35 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
+# This rule tries to match JSON SQL syntax that could be used as a bypass technique.
+# Referring to this research: https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
+#
+# Regular expression generated from regex-assembly/942550.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 942550
+#
+SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" \
+    "id:942550,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,\
+    msg:'JSON-Based SQL Injection',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-sqli',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/66',\
+    tag:'PCI/6.5.2',\
+    tag:'paranoia-level/1',\
+    ver:'OWASP_CRS/4.0.0-rc1',\
+    severity:'CRITICAL',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #