8000 941 reacts to "pattern" in normal text · Issue #3961 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
941 reacts to "pattern" in normal text #3961
New issue
New issue
Closed
#3963
Closed
941 reacts to "pattern" in normal text#3961
#3963
Assignees
theseion
Labels
➕ False Positive
@Simbiat

Description

@Simbiat
Simbiat
opened on Dec 25, 2024

Description

Rule 941 is reacting to word "pattern" in normal text (flow content). In my understand that should not be the case, because it should be part of attributes or headers, but I may be missing something.

How to reproduce the misbehavior (-> curl call)

Send something like

<li>Related to points 10 and 11, and thus also suggesting that something is off in HDR processing on monitor, <a href="https://www.youtube.com/watch?v=E9ATiC6jmUw&amp;t=720s" target="_blank" rel="noopener">here</a> you can see how in HDR mode "LG The Black" can clearly show a pattern in the dark background. I stress "clearly", as I would expect it to be possible to see it in general, but it feels like it should not be that obvious. I thought I was tripping, when I saw it initially, and thought it was some artifacts. This also suggests that maybe the brightness is being boosted unnecessarily. The video has my settings for the monitor <a href="https://www.youtube.com/watch?v=E9ATiC6jmUw&amp;t=406s" target="_blank" rel="noopener">here</a>.</li>

in POST request. Sandbox results in this:

{
  "transaction": {
    "time": "25/Dec/2024:10:40:25.655977 +0000",
    "transaction_id": "Z2vhGbd79WUKbt4QpDNJiAAAAUA",
    "remote_address": "172.24.0.12",
    "remote_port": 43512,
    "local_address": "172.24.0.16",
    "local_port": 8080
  },
  "request": {
    "request_line": "POST / HTTP/1.1",
    "headers": {
      "X-Real-IP": "87.92.5.57",
      "Host": "localhost",
      "Connection": "close",
      "Content-Length": "886",
      "sec-ch-ua-platform": "\"Windows\"",
      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0",
      "sec-ch-ua": "\"Microsoft Edge\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
      "DNT": "1",
      "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryvJlOhfCnnWNuI5RB",
      "sec-ch-ua-mobile": "?0",
      "Accept": "*/*",
      "Origin": "chrome-extension://eipdnjedkpcnlmmdfdkgfpljanehloah",
      "Sec-Fetch-Site": "none",
      "Sec-Fetch-Mode": "cors",
      "Sec-Fetch-Dest": "empty",
      "Accept-Encoding": "gzip, deflate, br, zstd",
      "Accept-Language": "en-US,en;q=0.9,ru;q=0.8,fi;q=0.7",
      "X-Unique-ID": "Z2vhGbd79WUKbt4QpDNJiAAAAUA"
    },
    "fake_body": "test=%3cli%3eRelated+to+points+10+and+11%2c+and+thus+also+suggesting+that+something+is+off+in+HDR+processing+on+monitor%2c+%3ca+href%3d%22https%3a%2f%2fwww%2eyoutube%2ecom%2fwatch%3fv%3dE9ATiC6jmUw%26amp%3bt%3d720s%22+target%3d%22%5fblank%22+rel%3d%22noopener%22%3ehere%3c%2fa%3e+you+can+see+how+in+HDR+mode+%22LG+The+Black%22+can+clearly+show+a+pattern+in+the+dark+background%2e+I+stress+%22clearly%22%2c+as+I+would+expect+it+to+be+possible+to+see+it+in+general%2c+but+it+feels+like+it+should+not+be+that+obvious%2e+I+thought+I+was+tripping%2c+when+I+saw+it+initially%2c+and+thought+it+was+some+artifacts%2e+This+also+suggests+that+maybe+the+brightness+is+being+boosted+unnecessarily%2e+The+video+has+my+settings+for+the+monitor+%3ca+href%3d%22https%3a%2f%2fwww%2eyoutube%2ecom%2fwatch%3fv%3dE9ATiC6jmUw%26amp%3bt%3d406s%22+target%3d%22%5fblank%22+rel%3d%22noopener%22%3ehere%3c%2fa%3e%2e%3c%2fli%3e"
  },
  "response": {
    "protocol": "HTTP/1.1",
    "status": 403,
    "headers": {
      "X-Unique-ID": "Z2vhGbd79WUKbt4QpDNJiAAAAUA",
      "Content-Length": "199",
      "Connection": "close",
      "Content-Type": "text/html; charset=iso-8859-1"
    },
    "body": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access this resource.</p>\n</body></html>\n"
  },
  "audit_data": {
    "messages": [
      "Warning. Pattern match \"(?i).(?:\\\\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\\\\b.*?=)|!ENTITY[\\\\s\\\\x0b]+(?:%[\\\\s\\\\x0b]+)?[^\\\\s\\\\x0b]+[\\\\s\\\\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\\\\b\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"157\"] [id \"941130\"] [msg \"XSS Filter - Category 3: Attribute Vector\"] [data \"Matched Data:  pattern in the dark background. I stress \\x22clearly\\x22, as I would expect it to be possible to see it in general, but it feels like it should not be that obvious. I thought I was tripping, when I saw it initially, and thought it was some artifacts. This also suggests that maybe the brightness is being boosted unnecessarily. The video has my settings for the monitor <a href=\\x22https://www.youtube.com/watch?v= found within ARGS:test: <li>Related to points 10 and 11, and thus also suggesti...\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag ",
      "Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"]",
      "Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
      "Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"]"
    ],
    "error_messages": [
      "[file \"apache2_util.c\"] [line 288] [level 3] ModSecurity: Warning. Pattern match \"(?i).(?:\\\\\\\\\\\\\\\\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\\\\\\\\\\\\\\\\b.*?=)|!ENTITY[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+(?:%[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+)?[^\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\\\\\\\\\\\\\\\\b\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"157\"] [id \"941130\"] [msg \"XSS Filter - Category 3: Attribute Vector\"] [data \"Matched Data:  pattern in the dark background. I stress \\\\\\\\x22clearly\\\\\\\\x22, as I would expect it to be possible to see it in general, but it feels like it should not be that obvious. I thought I was tripping, when I saw it initially, and thought it was some artifacts. This also suggests that maybe the brightness is being boosted unnecessarily. The video has my settings for the monitor <a href=\\\\\\\\x22https://www.youtube.com/watch?v= found within ARGS:test: <li>Related to points 10 and 11, and thus also suggesti...\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag  [hostname \"localhost\"] [uri \"/\"] [unique_id \"Z2vhGbd79WUKbt4QpDNJiAAAAUA\"]",
      "[file \"apache2_util.c\"] [line 288] [level 3] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Z2vhGbd79WUKbt4QpDNJiAAAAUA\"]",
      "[file \"apache2_util.c\"] [line 288] [level 3] ModSecurity: Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.8.0-dev\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Z2vhGbd79WUKbt4QpDNJiAAAAUA\"]"
    ],
    "action": {
      "intercepted": true,
      "phase": 2,
      "message": "Operator GE matched 5 at TX:blocking_inbound_anomaly_score."
    },
    "handler": "proxy-server",
    "stopwatch": {
      "p1": 882,
      "p2": 4166,
      "p3": 0,
      "p4": 0,
      "p5": 187,
      "sr": 0,
      "sw": 1,
      "l": 0,
      "gc": 0
    },
    "response_body_dechunked": true,
    "producer": [
      "ModSecurity for Apache/2.9.8 (http://www.modsecurity.org/)",
      "OWASP_CRS/4.8.0-dev"
    ],
    "server": "Apache/2.4.62 (Unix) OpenSSL/3.0.14",
    "engine_mode": "ENABLED"
  },
  "uploads": {
    "info": [],
    "total": 0
  }
}

Your Environment

Not sure it's relevant, since replicable on https://sandbox.coreruleset.org/ with minimum scenario

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

Labels

➕ False Positive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0