I have a violation of 941100 as follows. I believe that it is
false-positive, and I'm not sure whether it should be whitelisted.
--bf187d07-B--
GET /indexj.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer:
http://www.bing.com/search?q=xxxxxxxx+online&src=IE-SearchBox&FORM=IE11SR
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.xxxxxxxx.com
DNT: 1
Connection: Keep-Alive
--bf187d07-H--
Message: Warning. detected XSS using libinjection. [file
"/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
[line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via
libinjection"] [data "Matched Data: connection found within
REQUEST_HEADERS:Referer: http://www.bing.com/search?q=xxxxxxxx
online&src=IE-SearchBox&FORM=IE11SR"] [severity "CRITICAL"] [ver
"OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"]
[tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag
"OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
"/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
[file
"/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/RESPONSE-980-CORRELATION.conf"]
[line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0):
XSS Attack Detected via libinjection"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s]
ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s]
ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s]
ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost
Stopwatch: 1495034424961653 46331 (- - -)
Stopwatch2: 1495034424961653 46331; combined=1346, p1=337, p2=706,
p3=52, p4=155, p5=95, sr=53, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/);
OWASP_CRS/3.0.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Engine-Mode: "DETECTION_ONLY"
I will post more of the log entry if desired.
The request is legit - the index page of the site, and the error seems
to object to the contents of the refering-page header line, which is a
bing search request.
I don't understand how this is an XSS attack. The only special
characters in it are & and ?.
I read the rule, but didn't see how it works. I am only an egg.
Could somebody explain?
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
