Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

XSS Attack Detected for valid XML Wrapped in CDATA Id 941160 #1720

Open
jeremyjpj0916 opened this issue Mar 12, 2020 · 0 comments
Open

XSS Attack Detected for valid XML Wrapped in CDATA Id 941160 #1720

jeremyjpj0916 opened this issue Mar 12, 2020 · 0 comments
Labels
False Positive

Comments

@jeremyjpj0916
Copy link
Contributor

jeremyjpj0916 commented Mar 12, 2020
edited
Loading

Description

Rule 941160 blocking XML in CDATA, its not a fan of the text <pr:form

Audit Logs / Triggered Rule Numbers

/tmp/audit/20200312/20200312-0426 $ cat 20200312-042600-158398716078.198431
---6YKmS8jV---B--
POST /F5/status HTTP/1.1
content-length: 342
accept-encoding: gzip, deflate
Accept: */*
cache-control: no-cache
Host: gateway.company.com
Authorization: Bearer XXXXXXX
User-Agent: PostmanRuntime/7.6.1
Content-Type: application/xml
Connection: keep-alive
X-Forwarded-For: XXXXX

---6YKmS8jV---C--
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <urn:Request>
            <GroupECMM><![CDATA[ <pr:formulaType><pr:formulaTypeCode><pr:typeCode><opt:code>S</opt:code></pr:typeCode> </pr:formulaTypeCode> </pr:formulaType>]]></GroupECMM>
</urn:Request>
</soapenv:Body>
</soapenv:Envelope>

---6YKmS8jV---D--

---6YKmS8jV---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a


---6YKmS8jV---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3139 characters omitted)' against variable`XML:/*' (Value: `\x0a    \x0a        \x0a             <pr:formulaType><pr:formulaTypeCode><pr:typeCode><opt:code>S</o (74 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "195"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <pr:form found within XML:/*: \x0a    \x0a        \x0a             <pr:formulaType><pr:formulaTypeCode><pr:typeCode><opt:code>S</opt:code></pr:typeCode> </pr:formulaTypeCode> </pr:formulaType>\x0a\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"][accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "XXXXX"] [uri "/F5/status"] [unique_id "158398716078.198431"] [ref "o28,8o44,8o114,9o136,9t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "XXXX"] [uri "/F5/status"] [unique_id "158398716078.198431"] [ref ""]

Interestingly if you take the valid XML out of the CDATA you don't get blocked, request payload example like so:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <urn:Request>
            <pr:formulaType>
                <pr:formulaTypeCode>
                    <pr:typeCode>
                        <opt:code>S</opt:code>
                    </pr:typeCode>
                </pr:formulaTypeCode>
            </pr:formulaType>
        </urn:Request>
    </soapenv:Body>
</soapenv:Envelope>

These payloads are dumbed down versions of a real request I saw and I have taken out all the soap headers, xmlns namespacing reference declarations and such to just get the meat of the block.

Your Environment

  • CRS version (e.g., v3.2.0): 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
  • Web Server and version (e.g., apache 2.4.41): Nginx
  • Operating System and version: Alpine Linux

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jeremyjpj0916