Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Gold

help understanding alarm for generic SQL injection in HTTP

I don't quite get the regex in 5474-1 shown below. The '+' I think I get; if the data is a GET or a POST with enctype=application/x-www-form-urlencoded then spaces are encoded as +. But the regex also appears to be looking for a literal '%' and then '20'. Why for? If the request is "multipart/form-data" it will have a space character in the data (which has a hex value of \x20 but that's not what the regex is looking for).

([%]20|[=]|[+])

[Ss][Ee][Ll][Ee][Cc][Tt]

([%]20|[+])

[^\r\n\x00-\x19\x7F-\xFF]+

([%]20|[+])

[Ff][Rr][Oo][Mm]

([%]20|[+])

1 REPLY
Gold

Re: help understanding alarm for generic SQL injection in HTTP

hmmm...upon further thought, this would be required for detecting SQL injection via GET method. So, I guess my question now is, what about via POST with enctype="multipart/form-data"?

155
Views
0
Helpful
1
Replies