Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO - Post #3335

All forums Flat View

Welcome, Guest
Please Login to access forum.

- Joomla! Extensions Store

Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO (1 viewing)

TOPIC: Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO

#3335

David

Fresh Boarder

Posts: 17

Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO

Karma: 0

Hi John,
Found this question of the Modsecurity forum - note that I did not find an answer

!

With reference to the question below, note emoticons on page 3 of this thread. I hope it is of some use?

............................

I've got a problem with modsecurity, modsecurity-crs and a little
nasty unicode-symbol, the "MASCULINE ORDINAL INDICATOR" or in short: º

http://codepoints.net/U+00BA?lang=en

This nasty symbol causes multiple sql-injection rules:

Message: Pattern match
"(?i

?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "209"] [id "981257"] [msg "Detects MySQL
comment-/space-obfuscated injections and backtick termination"] [data
"Matched Data: , n\xc2\xba 1, 1\xc2\xba - 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

Message: Pattern match
"(?i

?:union\\s*?(?:all|distinct|[(! <at> ]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "223"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "Matched Data: \xc2\xba 1, 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

Message: Pattern match
"(?i

?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?

?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "245"] [id "981243"] [msg "Detects classic SQL injection
probings 2/2"] [data "Matched Data: \xc2\xba 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

I've configured

SecUnicodeCodePage 20127
SecUnicodeMapFile /etc/modsecurity/unicode.mapping

and the rules are using t:urlDecodeUni but there are still these
audit-events. I have no clue why, could someone help me with this?