This repository was archived by the owner on May 14, 2020. It is now read-only.
XSS Attack Detected for valid XML Wrapped in CDATA Id 941160 #1720
Description
Description
Rule 941160 blocking XML in CDATA, its not a fan of the text <pr:form
Audit Logs / Triggered Rule Numbers
/tmp/audit/20200312/20200312-0426 $ cat 20200312-042600-158398716078.198431
---6YKmS8jV---B--
POST /F5/status HTTP/1.1
content-length: 342
accept-encoding: gzip, deflate
Accept: */*
cache-control: no-cache
Host: gateway.company.com
Authorization: Bearer XXXXXXX
User-Agent: PostmanRuntime/7.6.1
Content-Type: application/xml
Connection: keep-alive
X-Forwarded-For: XXXXX
---6YKmS8jV---C--
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<urn:Request>
<GroupECMM><![CDATA[ <pr:formulaType><pr:formulaTypeCode><pr:typeCode><opt:code>S</opt:code></pr:typeCode> </pr:formulaTypeCode> </pr:formulaType>]]></GroupECMM>
</urn:Request>
</soapenv:Body>
</soapenv:Envelope>
---6YKmS8jV---D--
---6YKmS8jV---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a
---6YKmS8jV---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3139 characters omitted)' against variable`XML:/*' (Value: `\x0a \x0a \x0a <pr:formulaType><pr:formulaTypeCode><pr:typeCode><opt:code>S</o (74 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "195"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <pr:form found within XML:/*: \x0a \x0a \x0a <pr:formulaType><pr:formulaTypeCode><pr:typeCode><opt:code>S</opt:code></pr:typeCode> </pr:formulaTypeCode> </pr:formulaType>\x0a\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"][accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "XXXXX"] [uri "/F5/status"] [unique_id "158398716078.198431"] [ref "o28,8o44,8o114,9o136,9t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "XXXX"] [uri "/F5/status"] [unique_id "158398716078.198431"] [ref ""]
Interestingly if you take the valid XML out of the CDATA you don't get blocked, request payload example like so:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<urn:Request>
<pr:formulaType>
<pr:formulaTypeCode>
<pr:typeCode>
<opt:code>S</opt:code>
</pr:typeCode>
</pr:formulaTypeCode>
</pr:formulaType>
</urn:Request>
</soapenv:Body>
</soapenv:Envelope>
These payloads are dumbed down versions of a real request I saw and I have taken out all the soap headers, xmlns namespacing reference declarations and such to just get the meat of the block.
Your Environment
- CRS version (e.g., v3.2.0): 3.2/master
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 3.0.4
- Web Server and version (e.g., apache 2.4.41): Nginx
- Operating System and version: Alpine Linux
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.