detected XSS using libinjection - cookie found within REQUEST_HEADERS

[Ed Greenberg]

I'm a newbie at interpreting these...

--61b97613-A--
[20/Apr/2017:10:43:54 --0400] WPjJKkLpBBeG6lfR0YfTCQAAAA8 172.58.91.231 22735 172.24.32.11 443
--61b97613-B--
GET /mobile/ HTTP/1.1
Host: www.xxxxx.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Z981 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.132 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://www.xxxx.us/cms/One.aspx?pageId=33374
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: __utma=121318030.1146789097.1487363895.1489601485.1492545090.9; __utmz=121318030.1492545090.9.8.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=mqf2enemp0sqrh7k9togh6ed1ks3ar0jr8os4hrbnra3tadhr0768hgaq455ldo6jf5afjs01f8ro0bmq12t4t9b8g2e5ldh10j7q42

and later, in section H:

Message: Warning. detected XSS using libinjection. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: cookie found within REQUEST_HEADERS:Referer: http://www.xxxx.us/cms/One.aspx?pageId=33374"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Attack Detected via libinjection"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost
Stopwatch: 1492699434228916 9143 (- - -)
Stopwatch2: 1492699434228916 9143; combined=1834, p1=333, p2=1275, p3=41, p4=104, p5=81, sr=57, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Engine-Mode: "DETECTION_ONLY"

The CMS page legitimately points to our site. What is causing the alert - it seems like a false positive to me, but since I have to support this, I need to understand it. I also don't understand the Apache-Error lines.

Any help welcome.

Thanks,

Ed Greenberg

[Chaim Sanders]

If you're having an issue please add it to Github, as this form isn't monitored anymore.

[Ed Greenberg]

OK, thanks. Is there another forum for general questions?