help understanding alarm for generic SQL injection in HTTP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2008 03:12 PM - edited 03-10-2019 03:56 AM
I don't quite get the regex in 5474-1 shown below. The '+' I think I get; if the data is a GET or a POST with enctype=application/x-www-form-urlencoded then spaces are encoded as +. But the regex also appears to be looking for a literal '%' and then '20'. Why for? If the request is "multipart/form-data" it will have a space character in the data (which has a hex value of \x20 but that's not what the regex is looking for).
([%]20|[=]|[+])
[Ss][Ee][Ll][Ee][Cc][Tt]
([%]20|[+])
[^\r\n\x00-\x19\x7F-\xFF]+
([%]20|[+])
[Ff][Rr][Oo][Mm]
([%]20|[+])
- Labels:
-
IPS and IDS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2008 03:25 PM
hmmm...upon further thought, this would be required for detecting SQL injection via GET method. So, I guess my question now is, what about via POST with enctype="multipart/form-data"?
