False positive on parameter value XMLNS #2071

noneisland · 2021-05-10T17:08:24Z

Description

GET /api/v1/query?q=7XMLNS triggered false positive because the parameter contains "XMLNS"

#16 4.565 Rule Id: 941130 phase: 2
#16 4.565 * Match, but no disruptive action: ModSecurity: Warning. Matched "Operator Rx' with parameter (?i)\s\S\b' against variable ARGS:q' (Value: 7XMLNS' ) [file "/opt/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "125"] [id "941130"] [rev ""] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: 7XMLNS found within ARGS:q: 7XMLNS"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname ""] [uri "/api/v1/query"] [unique_id "162043736477.530879"] [ref "o0,6v20,6t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

Your Environment

CRS version: default v3.4/dev
Paranoia level setting:
ModSecurity version : 3.0.4
Web Server and version :
Operating System and version: Amazon Linux 2

Confirmation

[ x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

The text was updated successfully, but these errors were encountered:

lifeforms · 2021-05-10T18:41:39Z

Hi @noneisland, thanks for your report.

Your parameter is triggered by the pattern (?i)[\s\S]xmlns\b in regexp-941130.data.

It looks to me, as if we could safely get rid of the false positive by ensuring a word boundary, as in: (?i)[\s\S]\bxmlns\b.

We could do the same for some other words in this file, I would propose to change it to:

(?i)[\s\S]\bxlink:href\b
(?i)[\s\S]\bxhtml\b
(?i)[\s\S]\bxmlns\b
(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b
(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b
(?i)[\s\S]\bdata:text/html\b
(?i)[\s\S]\bformaction\b
(?i)[\s\S]@import\b
(?i)[\s\S];base64\b
(?i)[\s\S]pattern\b.*?=\b

The rule is an XSS rule. Since I don't have so much experience with XSS myself, I will discuss this with our dev team on our next meeting before proceeding, as I don't want to introduce vulnerabilities.

Again thanks for the report and we will follow up soon.

noneisland · 2021-05-10T19:36:51Z

Hi @lifeforms , thank you for your quick response.

I'm interested in contributing to fix the false positive if somebody can tell me how we build and test the changes to the coreruleset.

I discovered these false positives when using coreruleset with my application logs.

If somebody can give me some guidance, I probably will be able to fix these false positives quicker because they are a blocker for my use case.

lifeforms · 2021-05-10T19:53:29Z

Normally you can just change the rule files in place, but in this case, it's a bit more complicated because rule 941130 is compressed from a series of regular expressions into one big regular expression. This helps us keep the number of rules lower and make processing faster while keeping related patterns in one rule.

The source regexps can be found in the file regexp-941130.data. These are the ones that could be improved, using my example for instance.

But this file is not directly used by web servers. We have to insert the compressed version into the *.conf rule file first.

When you look at the comment on rule 941130 you find that we run a perl command to generate the compressed regexp, and the output of that perl script is the one that we put in the rule file.

To compile the regexps into one, you need Perl and the Regexp::Assemble CPAN module. You can read more about it in our blog on Regexp::Assemble.

With the updated .data file and the changed rule file, it is almost ready for a PR. The final step for a perfect PR is to add a test case for your false positive to our regression tests. This ensures that you definitely have fixed the problem and it protects us from reintroducing the error again in a future change. To do this, you add a section at the bottom of the test file 941130.yaml that contains your payload, but it should end with no_log_contains: id "941130" because, if the new rule is correct, it should NOT trigger rule 941130 any longer.

Good luck!

noneisland · 2021-05-10T20:25:01Z

hi @lifeforms , thanks for the information.

I am wondering if this can be made easier, e.g., "make testruleset" will automatically tell you if your changes succeeds or fails.

lifeforms · 2021-05-10T21:46:53Z

It's possible to run the tests with Docker but my setup is currently not working anymore so I hope someone else can pitch in on how to run the tests locally, @franbuehler or @fzipi ?

fzipi · 2021-05-11T16:19:13Z

Sure, it is possible.

You need python3, docker, and docker-compose installed.

The steps should be:

pip install --upgrade setuptools wheel
pip install -r tests/regression/requirements.txt
mkdir -p tests/logs/modsec2-apache/apache2
docker-compose -f ./tests/docker-compose.yml up -d modsec2-apache
py.test -vs --tb=short tests/regression/CRS_Tests.py \
  --config="modsec2-apache" \
  --ruledir=./tests/regression/tests

Will write a wiki page with this.

noneisland · 2021-05-14T21:10:06Z

@fzipi , thanks for the instructions. I followed the guide and set it up. But in the last step, it doesn't appear that any tests were actually ran.

py.test -vs --tb=short tests/regression/CRS_Tests.py --config="modsec2-apache" --ruledir=./tests/regression/tests
======================================================================================================= test session starts ========================================================================================================
platform darwin -- Python 3.7.3, pytest-4.6.0, py-1.10.0, pluggy-0.13.1 -- /code/coreruleset/bin/python3
cachedir: .pytest_cache
rootdir: /code/coreruleset
plugins: ftw-1.2.4
collected 1 item

tests/regression/CRS_Tests.py::test_crs[ruleset0-test0] SKIPPED

==================================================================================================== 1 skipped in 0.01 seconds =================

noneisland · 2021-05-14T21:27:27Z

Hi @noneisland, thanks for your report.

Your parameter is triggered by the pattern (?i)[\s\S]xmlns\b in regexp-941130.data.

It looks to me, as if we could safely get rid of the false positive by ensuring a word boundary, as in: (?i)[\s\S]\bxmlns\b.

We could do the same for some other words in this file, I would propose to change it to:
(?i)[\s\S]\bxlink:href\b
(?i)[\s\S]\bxhtml\b
(?i)[\s\S]\bxmlns\b
(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b
(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b
(?i)[\s\S]\bdata:text/html\b
(?i)[\s\S]\bformaction\b
(?i)[\s\S]@import\b
(?i)[\s\S];base64\b
(?i)[\s\S]pattern\b.*?=\b
The rule is an XSS rule. Since I don't have so much experience with XSS myself, I will discuss this with our dev team on our next meeting before proceeding, as I don't want to introduce vulnerabilities.

Again thanks for the report and we will follow up soon.

I did some research. "xmlns" itself is not a XSS attack, it has to be combined with javascript in order to be an actual attack.
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

dune73 · 2021-06-21T10:01:35Z

I'm losing the overview here a bit. Can you guys tell me what the status is?

lifeforms · 2021-06-21T19:50:12Z

Meeting decision: I will help the submitter by making the necessary changes myself.

8000

dune73 · 2021-06-23T08:45:05Z

For the record: We talked about this issue at our recent project meeting.

dune73 · 2021-07-19T14:06:50Z

I know you are very busy @lifeforms, but can you still give us a status?

dune73 · 2021-09-03T13:20:35Z

Ping @lifeforms

Copy link Member · 2021-09-06T16:45:13Z

Addressed this in PR #2192. I'd like to keep the changes as small as possible to move forward on this, we can always perfect the rule later. For further discussion please visit #2192.

noneisland added the ➕ False Positive label May 10, 2021

noneisland changed the title ~~False positive on value XMLNS~~ False positive on parameter value XMLNS May 10, 2021

lifeforms self-assigned this May 10, 2021

lifeforms added this to the CRS v3.4.0 milestone May 10, 2021

dune73 mentioned this issue May 17, 2021

Monthly Chat Agendas May (2021-05-03 and 2021-05-17) Meeting Agenda #2053

Closed

lifeforms mentioned this issue May 17, 2021

Rule Id: 932150 false positive on time keyword #2044

Closed

dune73 mentioned this issue Jun 21, 2021

Monthly Chat Agenda June (2021-06-07 and 2021-06-21) #2074

Closed

dune73 mentioned this issue Jul 19, 2021

Monthly Chat Agenda July (2021-07-05 and 2021-07-19) #2141

Closed

lifeforms closed this as completed Sep 6, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

False positive on parameter value XMLNS #2071

False positive on parameter value XMLNS #2071

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

False positive on parameter value XMLNS #2071

False positive on parameter value XMLNS #2071

Comments

Description

Your Environment

Confirmation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!