Working SQL Injection relaxation rule for IE/Safari User-Agent Header "like"

[Sven Olsfelder]

Hi,

 

does anybody have a working relaxation rule for the User-Agent header field for IE/Safari ? 

 

Log entry looks like this:

 

...msg=SQL Keyword check failed for header User-Agent\="..like Gecko) Version/9.1 Safari/601.5.17(;)" 

 

It's also happening for IE, because of the "like" in the User-Agent. Of course "Check Request Headers" is set to True.

 

 

Regards,

Sven

 

 

 

[Stan Chen]

Check the APPFW Learned Rules Rule and Deploy to Relaxation Rules.

[Sven Olsfelder]

Hi,

 

did this too, still doesn't work. I had a similar issue earlier these days with a XSS relaxation rule - after I deployed the learned rule, it appeared again and again in the learned rules and couldn't (obviously) bedeployed again because it was "already in use". I could get over it by using a lot of ^.*$. But that doesn't work for this specifiy User-Agent relaxation.

 

Seems like the AppFW sometimes doesn't understands it's own "language".... 

[Stuart Ganney]

I am having the same problem with IE11 on Windows 7.  I have tried deploying the rules that the appfw learns, but it still blocks these requests.  I have tried adding various combinations of PCRE wildcards in all the fields available (URL, location, value etc).  None of them do what I want and the appfw still blocks these requests as being SQL injection attempts.

 

Surely there must be some documented solution to this, since IE11 is so common in the field.  Has anyone managed to solve it?

 

I am now trying an idea of using a rewrite policy to remove the User-Agent header altogether.  Has anyone had any success with this kind of idea?

 

Stuart.

[Murilo Rocha]

Not ideal but the work around is to disable " Check request headers"