This repository has been archived by the owner on May 14, 2020. It is now read-only.
XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie #1729
Labels
Comments
frankyhun
changed the title
|
As the cookie arrives at libinjection it is reformatted as: REQUEST_COOKIES:AWSALBCORS: PWOhL14py8Wi FMWQxerjk4XFirhKd457flcD 95U90WpVH1VOdwKE/HeJ 3Mjfd4Tt861Hh vY7cEYSPJ0I1xs 3XaXNZtlpTFCDCJd7psj/K7Hbb T THELV3ISsCQ1is4wS4m ... So the + sign is replaced with spaces. Libinjection xss detects Ong1VE1igIhX7bSV9ylSA== as black attribute in the method is_black_attr, because it's length is >= 5, and begins with ON (case insensitive). |
|
Looks like exactly this change should have fixed this issue: |
|
Is the libinjection project abandoned? |
|
@zimmerle, @martinhsv: looks like you have to maintain libinjection by your own |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
libinjection detects XSS Attack in the AWS AWSALBCORS Cookie, and blocks harmless requests.
Audit Logs / Triggered Rule Numbers
---O4A1GJgF---A--
[30/Mar/2020:04:26:00 +0000] 158554236078.061819 0
---O4A1GJgF---B--
POST /oauth/token HTTP/1.1
Accept: application/json, application/*+json
X-Span-Name: https:/oauth/token
Content-Length: 94
b3: 779cec51b5c99a01-779cec51b5c99a01-0
X-Forwarded-Port: 443
X-Amzn-Trace-Id: Root=1-5e8174d8-9f586f0037986e007de2cf80
Authorization: Basic
Host:
X-B3-SpanId: 779cec51b5c99a01
Content-Type: application/x-www-form-urlencoded
X-Forwarded-Proto: https
User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_212)
X-Forwarded-For:
X-B3-TraceId: 779cec51b5c99a01
X-B3-Sampled: 0
Cookie: AWSALB=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==; AWSALBCORS=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==
Accept-Encoding: gzip,deflate
---O4A1GJgF---F--
HTTP/1.1 403
Server: nginx
Date: Mon, 30 Mar 2020 04:26:00 GMT
Connection: keep-alive
---O4A1GJgF---A--
[30/Mar/2020:04:26:00 +0000] 158554236078.061819 0
---O4A1GJgF---B--
POST /oauth/token HTTP/1.1
Accept: application/json, application/*+json
X-Span-Name: https:/oauth/token
Content-Length: 94
b3: 779cec51b5c99a01-779cec51b5c99a01-0
X-Forwarded-Port: 443
X-Amzn-Trace-Id: Root=1-5e8174d8-9f586f0037986e007de2cf80
Authorization: Basic
Host:
X-B3-SpanId: 779cec51b5c99a01
Content-Type: application/x-www-form-urlencoded
X-Forwarded-Proto: https
User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_212)
X-Forwarded-For:
X-B3-TraceId: 779cec51b5c99a01
X-B3-Sampled: 0
Cookie: AWSALB=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==; AWSALBCORS=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==
Accept-Encoding: gzip,deflate
---O4A1GJgF---F--
HTTP/1.1 403
Server: nginx
Date: Mon, 30 Mar 2020 04:26:00 GMT
Connection: keep-alive
---O4A1GJgF---H--
ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/nginx/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within REQUEST_COOKIES:AWSALBCORS: PWOhL14py8Wi FMWQxerjk4XFirhKd457flcD 95U90WpVH1VOdwKE/HeJ 3Mjfd4Tt861Hh vY7cEYSPJ0I1xs 3XaXNZtlpTFCDCJd7psj/K7Hbb T THELV3ISsCQ1is4wS4m (56 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/oauth/token"] [unique_id "158554236078.061819"] [ref "v662,192t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv867,192t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
---O4A1GJgF---I--
---O4A1GJgF---J--
---O4A1GJgF---K--
---O4A1GJgF---Z--
Your Environment
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: