Correct rule 941310 to use single-byte variants and fix FPs (#1596)

* Fix test to use the single byte characters

Add a test that uses utf-8 as well.

* Change pattern to use the single-byte variants

Patterns in ModSecurity are not treated as UTF strings.
Fixes #1595.

* Add negative tests and update descriptions

* Improve pattern

Change it to avoid FPs for \xbc\xbc and \xbe\xbe (i.e. << and >>).
Use negated classes for better performance.

Author: fgsch

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -619,7 +619,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # Reported by Mazin Ahmed
 #
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
     "id:941310,\
     phase:2,\
     block,\

util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml

@@ -1,24 +1,75 @@
 ---
   meta:
-    author: "Christian S.J. Peron"
-    description: None
+    author: Christian S.J. Peron, Federico G. Schwindt
+    description: US-ASCII Malformed Encoding XSS Filter
     enabled: true
     name: 941310.yaml
   tests:
   -
     test_title: 941310-1
-    desc: "US-ASCII Malformed Encoding XSS Filter"
+    desc: Positive test using single byte
     stages:
     -
       stage:
         input:
           dest_addr: 127.0.0.1
           headers:
             Host: localhost
-            Content-type: "iso-8859-15"
+            Content-type: us-ascii
           method: POST
           port: 80
-          uri: "/"
-          data: "var=.*¾.*¼.*"
+          uri: /
+          data: var=\xbcscript\xbealert(\xa2XSS\xa2)\xbc/script\xbe
         output:
           log_contains: id "941310"
+  -
+    test_title: 941310-2
+    desc: Positive test using utf-8
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            Content-type: us-ascii
+          method: POST
+          port: 80
+          uri: /
+          data: var=\xc2\xbcscript\xc2\xbealert(\xc2\xa2XSS\xc2\xa2)\xc2\xbc/script\xc2\xbe
+        output:
+          log_contains: id "941310"
+  -
+    test_title: 941310-3
+    desc: Negative test for opening tag
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            Content-type: us-ascii
+          method: POST
+          port: 80
+          uri: /
+          data: var=\xbc\xbc
+        output:
+          no_log_contains: id "941310"
+  -
+    test_title: 941310-4
+    desc: Negative test for closing tag
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            Content-type: us-ascii
+          method: POST
+          port: 80
+          uri: /
+          data: var=\xbe\xbe
+        output:
+          no_log_contains: id "941310"