Message:Warning.detectedXSSusinglibinjection.[file"/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line"56"][id"941100"][rev"2"][msg"XSS Attack Detected via libinjection"][data"Matched Data: cookie found within REQUEST_HEADERS:Referer: http://www.xxxx.us/cms/One.aspx?pageId=33374"][severity"CRITICAL"][ver"OWASP_CRS/3.0.0"][maturity"1"][accuracy"9"][tag"application-multi"][tag"language-multi"][tag"platform-multi"][tag"attack-xss"][tag"OWASP_CRS/WEB_ATTACK/XSS"][tag"WASCTC/WASC-8"][tag"WASCTC/WASC-22"][tag"OWASP_TOP_10/A3"][tag"OWASP_AppSensor/IE1"][tag"CAPEC-242"]Message:Warning.OperatorGEmatched5atTX:anomaly_score.[file"/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"][line"57"][id"949110"][msg"Inbound Anomaly Score Exceeded (Total Score: 5)"][severity"CRITICAL"][tag"application-multi"][tag"language-multi"][tag"platform-multi"][tag"attack-generic"]Message:Warning.OperatorGEmatched5atTX:inbound_anomaly_score.[file"/etc/httpd/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"][line"73"][id"980130"][msg"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Attack Detected via libinjection"][tag"event-correlation"]Apache-Error:[file"apache2_util.c"][line271][level3][client%s]ModSecurity:%s%s[uri"%s"]%sApache-Error:[file"apache2_util.c"][line271][level3][client%s]ModSecurity:%s%s[uri"%s"]%sApache-Error:[file"apache2_util.c"][line271][level3][client%s]ModSecurity:%s%s[uri"%s"]%sApache-Handler:proxy:unix:/var/run/php5-fpm.sock|fcgi://localhostStopwatch:14926994342289169143(---)Stopwatch2:14926994342289169143;combined=1834,p1=333,p2=1275,p3=41,p4=104,p5=81,sr=57,sw=0,l=0,gc=0Response-Body-Transformed:DechunkedProducer:ModSecurityforApache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.Server:Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fipsEngine-Mode:"DETECTION_ONLY"
The CMS page legitimately points to our site. What is causing the alert - it seems like a false positive to me, but since I have to support this, I need to understand it. I also don't understand the Apache-Error lines.
Any help welcome.
Thanks,
Ed Greenberg
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm a newbie at interpreting these...
and later, in section H:
The CMS page legitimately points to our site. What is causing the alert - it seems like a false positive to me, but since I have to support this, I need to understand it. I also don't understand the Apache-Error lines.
Any help welcome.
Thanks,
Ed Greenberg
If you're having an issue please add it to Github, as this form isn't monitored anymore.
OK, thanks. Is there another forum for general questions?