8000 941 reacts to "pattern" in normal text · Issue #3961 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

941 reacts to "pattern" in normal text #3961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Simbiat opened this issue Dec 25, 2024 · 1 comment · Fixed by #3963
Closed

941 reacts to "pattern" in normal text #3961

Simbiat opened this issue Dec 25, 2024 · 1 comment · Fixed by #3963
Assignees
@theseion
Labels
➕ False Positive

Comments

@Simbiat
Copy link
Simbiat commented Dec 25, 2024

Description

Rule 941 is reacting to word "pattern" in normal text (flow content). In my understand that should not be the case, because it should be part of attributes or headers, but I may be missing something.

How to reproduce the misbehavior (-> curl call)

Send something like

<li>Related to points 10 and 11, and thus also suggesting that something is off in HDR processing on monitor, <a href="https://www.youtube.com/watch?v=E9ATiC6jmUw&amp;t=720s" target="_blank" rel="noopener">here</a> you can see how in HDR mode "LG The Black" can clearly show a pattern in the dark background. I stress "clearly", as I would expect it to be possible to see it in general, but it feels like it should not be that obvious. I thought I was tripping, when I saw it initially, and thought it was some artifacts. This also suggests that maybe the brightness is being boosted unnecessarily. The video has my settings for the monitor <a href="https://www.youtube.com/watch?v=E9ATiC6jmUw&amp;t=406s" target="_blank" rel="noopener">here</a>.</li>

in POST request. Sandbox results in this:

{
  "transaction": {
    "time": "25/Dec/2024:10:40:25.655977 +0000",
    "transaction_id": "Z2vhGbd79WUKbt4QpDNJiAAAAUA",
    "remote_address": "172.24.0.12",
    "remote_port": 43512,
    "local_address": "172.24.0.16",
    "local_port": 8080
  },
  "request": {
    "request_line": "POST / HTTP/1.1",
    "headers": {
      "X-Real-IP": "87.92.5.57",
      "Host": "localhost",
      "Connection": "close",
      "Content-Length": "886",
      "sec-ch-ua-platform": "\"Windows\"",
      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0",
      "sec-ch-ua": "\"Microsoft Edge\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
      "DNT": "1",
      "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryvJlOhfCnnWNuI5RB",
      "sec-ch-ua-mobile": "?0",
      "Accept": "*/*",
      "Origin": "chrome-extension://eipdnjedkpcnlmmdfdkgfpljanehloah",
      "Sec-Fetch-Site": "none",
      "Sec-Fetch-Mode": "cors",
      "Sec-Fetch-Dest": "empty",
      "Accept-Encoding": "gzip, deflate, br, zstd",
      "Accept-Language": "en-US,en;q=0.9,ru;q=0.8,fi;q=0.7",
      "X-Unique-ID": "Z2vhGbd79WUKbt4QpDNJiAAAAUA"
    },
    "fake_body": "test=%3cli%3eRelated+to+points+10+and+11%2c+and+thus+also+suggesting+that+something+is+off+in+HDR+processing+on+monitor%2c+%3ca+href%3d%22https%3a%2f%2fwww%2eyoutube%2ecom%2fwatch%3fv%3dE9ATiC6jmUw%26amp%3bt%3d720s%22+target%3d%22%5fblank%22+rel%3d%22noopener%22%3ehere%3c%2fa%3e+you+can+see+how+in+HDR+mode+%22LG+The+Black%22+can+clearly+show+a+pattern+in+the+dark+background%2e+I+stress+%22clearly%22%2c+as+I+would+expect+it+to+be+possible+to+see+it+in+general%2c+but+it+feels+like+it+should+not+be+that+obvious%2e+I+thought+I+was+tripping%2c+when+I+saw+it+initially%2c+and+thought+it+was+some+artifacts%2e+This+also+suggests+that+maybe+the+brightness+is+being+boosted+unnecessarily%2e+The+video+has+my+settings+for+the+monitor+%3ca+href%3d%22https%3a%2f%2fwww%2eyoutube%2ecom%2fwatch%3fv%3dE9ATiC6jmUw%26amp%3bt%3d406s%22+target%3d%22%5fblank%22+rel%3d%22noopener%22%3ehere%3c%2fa%3e%2e%3c%2fli%3e"
  },
  "response": {
    "protocol": "HTTP/1.1",
    "status": 403,
    "headers": {
      "X-Unique-ID": "Z2vhGbd79WUKbt4QpDNJiAAAAUA",
      "Content-Length": "199",
      "Connection": "close",
      "Content-Type": "text/html; charset=iso-8859-1"
    },
    "body": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access this resource.</p>\n</body></html>\n"
  },
  "audit_data": {
    "messages": [
      "Warning. Pattern match \"(?i).(?:\\\\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\\\\b.*?=)|!ENTITY[\\\\s\\\\x0b]+(?:%[\\\\s\\\\x0b]+)?[^\\\\s\\\\x0b]+[\\\\s\\\\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\\\\b\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"157\"] [id \"941130\"] [msg \"XSS Filter - Category 3: Attribute Vector\"] [data \"Matched Data:  pattern in the dark background. I stress \\x22clearly\\x22, as I would expect it to be possible to see it in general, but it feels like it should not be that obvious. I thought I was tripping, when I saw it initially, and thought it was some artifacts. This also suggests that maybe the brightness is being boosted unnecessarily. The video has my settings for the monitor <a href=\\x22https://www.youtube.com/watch?v= found within ARGS:test: <li>Related to points 10 and 11, and thus also suggesti...\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag ",
      "Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"]",
      "Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
      "Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"]"
    ],
    "error_messages": [
      "[file \"apache2_util.c\"] [line 288] [level 3] ModSecurity: Warning. Pattern match \"(?i).(?:\\\\\\\\\\\\\\\\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\\\\\\\\\\\\\\\\b.*?=)|!ENTITY[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+(?:%[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+)?[^\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\\\\\\\\\\\\\\\\b\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"157\"] [id \"941130\"] [msg \"XSS Filter - Category 3: Attribute Vector\"] [data \"Matched Data:  pattern in the dark background. I stress \\\\\\\\x22clearly\\\\\\\\x22, as I would expect it to be possible to see it in general, but it feels like it should not be that obvious. I thought I was tripping, when I saw it initially, and thought it was some artifacts. This also suggests that maybe the brightness is being boosted unnecessarily. The video has my settings for the monitor <a href=\\\\\\\\x22https://www.youtube.com/watch?v= found within ARGS:test: <li>Related to points 10 and 11, and thus also suggesti...\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag  [hostname \"localhost\"] [uri \"/\"] [unique_id \"Z2vhGbd79WUKbt4QpDNJiAAAAUA\"]",
      "[file \"apache2_util.c\"] [line 288] [level 3] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Z2vhGbd79WUKbt4QpDNJiAAAAUA\"]",
      "[file \"apache2_util.c\"] [line 288] [level 3] ModSecurity: Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Z2vhGbd79WUKbt4QpDNJiAAAAUA\"]"
    ],
    "action": {
      "intercepted": true,
      "phase": 2,
      "message": "Operator GE matched 5 at TX:blocking_inbound_anomaly_score."
    },
    "handler": "proxy-server",
    "stopwatch": {
      "p1": 882,
      "p2": 4166,
      "p3": 0,
      "p4": 0,
      "p5": 187,
      "sr": 0,
      "sw": 1,
      "l": 0,
      "gc": 0
    },
    "response_body_dechunked": true,
    "producer": [
      "ModSecurity for Apache/2.9.8 (http://www.modsecurity.org/)",
      "OWASP_CRS/4.8.0-dev"
    ],
    "server": "Apache/2.4.62 (Unix) OpenSSL/3.0.14",
    "engine_mode": "ENABLED"
  },
  "uploads": {
    "info": [],
    "total": 0
  }
}

Your Environment

Not sure it's relevant, since replicable on https://sandbox.coreruleset.org/ with minimum scenario

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@theseion
Copy link
Contributor

Thanks for the report @Simbiat. Indeed, the text matches \bpattern\b.*?=. I'll try to prepare a fix.

@theseion theseion self-assigned this Dec 26, 2024
theseion added a commit to theseion/coreruleset that referenced this issue Dec 26, 2024
@theseion
fix: FP against pattern with = following at arbitrary position
57437c1 
- change regular expression to not match any `=`
- add FP and true positive tests

Fixes coreruleset#3961
@theseion theseion mentioned this issue Dec 26, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Dec 29, 2024
@theseion @fzipi
fix: FP against pattern with = following at arbitrary position (#…
9f0fb2c 
…3963)

- change regular expression to not match any `=`
- add FP and true positive tests

Fixes #3961

Co-authored-by: Felipe Zipitría <3012076+fzipi@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theseion theseion

Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: FP against pattern with = following at arbitrary position theseion/coreruleset
2 participants
@theseion @Simbiat
0