6Tem
Modsecurity CRS access denied with response 200?
Issue
I have try to inject XSS in an input and the log total of anomaly score is 84 (enough to block the request) The action return Access denied but why it return 200 code and the action is allowed to be passed to the webserver.
Specification :
Apache 2.4.41 CRS-Rules : 4.3.0 (default setting intact) Modsec version : 3 latest
How it get triggered :
Adding in input using XSS with code <img src=a onerror=alert('dsklajl')>
Complete Log Audit Log :
ModSecurity: Warning. detected XSS using libinjection. [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:givenName[ar]: <img src=a onerror=alert('42232dsklajl')>"] [severity "2"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "example.com"] [uri "/jcb/api/v1/submissions/140/publications/143/contributors/187"] [unique_id "172023569217.942580"] [ref "v3538,36t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv3443,36t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv3682,818t:u (177 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A (4341 characters omitted)' against variable `ARGS:givenName[ar]' (Value: `<img src=a onerror=alert('42232dsklajl')>' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "200"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <img found within ARGS:givenName[ar]: <img src=a onerror=alert('42232dsklajl')>"] [severity "2"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "example.com"] [uri "/jcb/api/v1/submissions/140/publications/143/contributors/187"] [unique_id "172023569217.942580"] [ref "o0,5v3538,36t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso0,5v3443,36t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso0,7 (195 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(' against variable `ARGS:givenName[ar]' (Value: `<img src=a onerror=alert('42232dsklajl')>' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "713"] [id "941390"] [rev ""] [msg "Javascript method detected"] [data "Matched Data: alert( found within ARGS:givenName[ar]: <img src=a onerror=alert('42232dsklajl')>"] [severity "2"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "example.com"] [uri "/jcb/api/v1/submissions/140/publications/143/contributors/187"] [unique_id "172023569217.942580"] [ref "o19,6v3538,36t:htmlEntityDecode,t:jsDecodeo19,6v3443,36t:htmlEntityDecode,t:jsDecodeo763,6v3682,818t:htmlEntityDecode,t:jsDecodeo19,6v3349,41t:htmlEntityDecode,t:jsDecode"]
ModSecurity: Access denied with code 200 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `84' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 84)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "example.com"] [uri "/jcb/api/v1/submissions/140/publications/143/contributors/187"] [unique_id "172023569217.942580"] [ref ""]
My action :
I have also try to change the crs-setup.conf line 97-98 to SecDefaultAction "phase:X,log,auditlog,deny" and get same result
Expected result
It should get block because in anomaly score it reach more than 7. But it weirdly response 200 code and data along with XSS should not be processed by the webserver.
Any guidance is appreciated.
Regards
