Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
1
Replies

help understanding alarm for generic SQL injection in HTTP

mhellman
Level 7
Level 7

‎01-16-2008 03:12 PM - edited ‎03-10-2019 03:56 AM

I don't quite get the regex in 5474-1 shown below. The '+' I think I get; if the data is a GET or a POST with enctype=application/x-www-form-urlencoded then spaces are encoded as +. But the regex also appears to be looking for a literal '%' and then '20'. Why for? If the request is "multipart/form-data" it will have a space character in the data (which has a hex value of \x20 but that's not what the regex is looking for).

([%]20|[=]|[+])

[Ss][Ee][Ll][Ee][Cc][Tt]

([%]20|[+])

[^\r\n\x00-\x19\x7F-\xFF]+

([%]20|[+])

[Ff][Rr][Oo][Mm]

([%]20|[+])

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎01-16-2008 03:25 PM

hmmm...upon further thought, this would be required for detecting SQL injection via GET method. So, I guess my question now is, what about via POST with enctype="multipart/form-data"?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card