We have ModSecurity installed on our application server and sometimes an request is blocked because ModSecurity detects SQL Injection on PHPSESSID cookie.
GET /somepage.php HTTP/1.1
Host: www.domain.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=peu4e3ftt241orq5nbnuc6ocs4
Connection: keep-aliveMessage: Access denied with code 403 (phase 2). [file "C:/Program Files/Apache Software Foundation/Apache2.2/conf/extra/modsecurity_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "241or"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"]
What is recommended to avoid this false-positive ?
Remove this rule. If you use all of modsecurity crs rules, it will be so many fale positive.