False Positive for SQLi

Question

False Positive for SQLi

andywgrant opened this issue 8 years ago · 1 comments

My ModSecurity logs are reporting a detection by libinjection that is clearly a false positive (even its matched data seems a little bizarre).

[msg "SQL Injection Attack Detected via libinjection"][data "Matched Data: novc found within ARGS:username: a!@#"]

Answer 1 · 2017-04-26T02:08:18.000Z

For now just create an exception.
SecRuleUpdateTargetById <RULE ID TRIGGERED> "!ARGS:username"
That will disable the rule validation for the parameter.