New WAF bypass method take advantage of comment anti-evasion

Submitted by Ofer Shezaf on 3 November 2009 - 6:07pm
Share/Save

A new blog post by Dmitry Evteev shows how an obscure MySQL syntax can be used to bypass ModSecurity signatures. The interesting thing is that the new technique actually takes advantage of a ModSecurity anti-evasion measure. ModSecurity rule set ignore MySQL comments in order to detect attacks that is split using a comment:

or /* comment */ 1=1

However, the obscure syntax actually allow placing MySQL code inside a comment by preceding it with an exlemation mark:

/*! or 1=1 */

On the one hand one might say that this proves that there is no way to win the signatures vs. attacks arm race. On the other hand, this one was always there in the MySQL book so it seem that a somewhat more strenuous effort would enable. I can say this without hurting anyone's feeling since I originally designed the ModSecurity core rule set which this technique bypasses.

Tags: 
ModSecurity
Solutions Accuracy
Signatures

Post new comment

More information about text formats

Full HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.