8000 FP Rule [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] · Issue #2006 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

FP Rule [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] #2006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tenpura-shrimp opened this issue Feb 8, 2021 · 1 comment
Closed

FP Rule [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] #2006

tenpura-shrimp opened this issue Feb 8, 2021 · 1 comment
Labels
➕ False Positive

Comments

@tenpura-shrimp
Copy link

Description

Message: Warning. Pattern match "(?i)[\\s\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=" at ARGS:sig. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "123"] [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 6ONDsRI= found within ARGS:sig: AOq0QJ8wRgIhAKuxokAeHNKeYixGsoXSzp2xYuovnkpxAcu8PvHbz2BKAiEAiLgVhEmndw7P11FwbGA78pWwaaT8-K8J0L1k6ONDsRI="] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Message: Access denied with code 403 (phase 2). Operator GE matched 2 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 2 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 2: Event Handler Vector; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]

Audit Logs / Triggered Rule Numbers

One of the parameters is a Base64 string. This rule triggered on that, which is bad because only a few matching bytes can trigger this rule. We should be able to include base64 binary data in the query params.

Your Environment

  • CRS version (e.g., v3.2.0): 3.1.0
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 2.9.3
  • Web Server and version (e.g., apache 2.4.41):
  • Operating System and version: debian

Confirmation

[ yes ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@dune73 dune73 mentioned this issue Feb 15, 2021
Closed
@dune73
Copy link
Member
dune73 commented Feb 15, 2021

Thank you for reporting and sorry for the inconvenience.

This is a reiteration of a known issue that is documented in #1867. Unfortunately very hard to solve. But I am closing this in favor of #1867.

@dune73 dune73 closed this as completed Feb 15, 2021
@dune73 dune73 mentioned this issue Feb 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dune73 @tenpura-shrimp
0