Re: [mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] (no subject)
|
From: Ofer S. <Of...@Br...> - 2007-01-21 09:56:43
|
=20 Thanks Nicholas, =20 As you say, the Referer header is prone to false positives as it is controlled generated by other sites and extend their false positives to your site. This is the reason it is not searched for SQL injection signatures in the core rule set, and I checking now whether to do the same for XSS just as you suggest. =20 =20 My experience is that the Cookie header is also prone to false positives such as this, but I'm less inclined to include an exception for the cookie header in the Core Set for two reasons: =20 (a) It is controlled by the application itself, and many times, such as in your case, the application should be changed rather than the rule. Storing the external Referer header in a cookie and presumably using it somewhere is a very good recipe for a security disaster. =20 (b) The Cookie header is used a lot by applications and therefore may be an attack channel more often than the Referer header =20 Saying that, I assume that you do not have a simple way to have the application modified and therefore need another solution.=20 =20 I think that in your case the simplest and most effective would be to exclude the cookie header also (!REQUEST_HEADERS:Cookie). Since the cookie is controlled by the referrer it is just a matter of time until another signature will match, so removing onClick is a short time solution.=20 =20 ~ Ofer =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Nicholas Vulgrinski Sent: Friday, January 19, 2007 7:02 PM To: mod...@li... Subject: [mod-security-users] (no subject) =20 The referer often contains the URL and parameters from another site, such as a web search page, when someone navigates to our site via a search. We have found the Time Warner's websearch contains an onClick parameter that sets of the XSS rule. This fix was suggest to exclude scanning the referer. REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere r This almost worked for me, but our FireClick implementation stores the referer in the session cookie, so I still get a match (see below).=20 Sorry about the old version (rule id 50004). I had already remove the ".cookie" part of the rule because our site has cookies named something.cookie. I don't want to exclude an XSS on the cookies because we have observed other XSS attack attempt in the cookie. Any suggestions? --674ddd71-A-- [16/Jan/2007:14:18:34 --0600] EPbcZKwQIh8AAATnGgcAAAAa 172.16.32.102 55719 172.16.34.31 80 --674ddd71-B-- GET /processSearch.do?allPropertyTypesSelected=3Dtrue&usertypedcity=3D&destin= ati on=3D4fded4ff-af4a-41b7-976b-bd5bd436f135%7Cb68f06c3-77a8-49f1-9ba2-c9e77= 9 fdad9d%7CLas+Vegas%2C+NV%2C+USA%7C1&inout=3D&CIMonth=3D3&CIDay=3D2&CIYear= =3D2007 &COMonth=3D3&CODay=3D5&COYear=3D2007&dateless=3D&numrooms=3D1&adults%5B0%= 5D=3D2&chil d%5B0%5D=3D0 HTTP/1.1 Accept: */* Referer: http://www.aaaa.com/index.jsp?PSRC=3DG21&displayAd=3Dfalse&googlekw=3Daaa= a.com _-_exact_match&js=3D1&zz=3D1168978561781 Accept-Language: en-us UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1) Cookie: JSESSIONID=3DUMHAKCHLXFI35LAQEZBSCOVMCATDOH20; ABTest.4=3D3; sid=3D{AC102643-14D7-7459-1102-2C2C8ACB9E1F}; visitCounter=3D1; = PSRC=3DG21; VSRC=3DHRN MRKT; SSRC=3D; MSRC=3D; TSRC=3D1; fcC=3DX=3DC1854576&Y=3D1168978630937&FV=3D8&H=3D1168978630921&Z=3D1&vis=3D= g409650#e409 650zaaaa.com_-_exact_match#m54z0#m56z0#m11z0#m42z0#l39#m52z1#m53z1#l17#e 125482z-#m54z1#g440958#m40z0&D=3DG409651#E409651zaaaa.com_-_exact_match&F= =3D 0&I=3D1168978713171&E=3D5041538; fcP=3DC=3D0&T=3D1168978568750&DTO=3D1168978568671&V=3D1168978630921&fcV.1= =3DG409651` 1171570570406&fcV.2=3DE409651zaaaa.com_-_exact_match`1171570570421; fcR=3Dhttp%3A//websearch.timewarnercable.com/websearch/%3Fdiv_id%3D30%26F= U IComponentClass%3D%255Btype+Function%255D%26FRadioButtonClass%3D%255Btyp e+Function%255D%26FRadioButtonGroupClass%3D%255Btype+Function%255D%26FPu shButtonClass%3D%255Btype+Function%255D%26searches%3D%255Bobject+Object% 255D%26getValue%3D%255Btype+Function%255D%26onClick%3D%255Btype+Function %255D%26query%3Daaaa%252Ecom TE: chunked;q=3D1.0 Connection: TE, keep-alive Accept-Encoding: gzip Akamai-Origin-Hop: 1 Via: 1.1 akamai.net(ghost) (AkamaiGHost) X-Forwarded-For: 71.79.187.187, 72.247.29.86 Host: www.aaaa.com Pragma: no-cache Cache-Control: no-cache, max-age=3D0 --674ddd71-F-- HTTP/1.1 200 OK Set-Cookie: sid=3D{AC102643-14D7-7459-1102-2C2C8ACB9E1F}; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/ Set-Cookie: PSRC=3DG21; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/ Set-Cookie: VSRC=3DHRN MRKT; domain=3D.aaaa.com; expires=3DFri, = 29-Oct-2021 20:18:33 GMT; path=3D/ Set-Cookie: SSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 = 20:18:33 GMT; path=3D/ Set-Cookie: MSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 = 20:18:33 GMT; path=3D/ Set-Cookie: TSRC=3D1; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 = 20:18:33 GMT; path=3D/ Keep-Alive: timeout=3D3, max=3D59 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html --674ddd71-H-- Message: Warning. Pattern match "(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d own|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focu s|blur)\\b\\W*?=3D|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|= s hell)|ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|moch a):|type\\b\\W*?\\b(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)script\\b|[vbs cript])|application\\b\\W*?\\bx-(?:java|vb)script\\b)|s(?:(?:tyle\\b\\W* =3D.*\\bexpression\\b\\W*|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|v= b )script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:speci al|parent)folder|background-image:)\\b|a(?:ctivexobject\\b|lert\\b\\W*?\ \())|<(?:(?:body\\b.*?\\b(?:backgroun|onloa)d|input\\b.*?\\btype\\b\\W*? \\bimage)\\b|!\\[CDATA\\[|script|meta)|(?:\\.(?:(?:execscrip|addimpor)t| fromcharcode|innerhtml)|\\B@import)\\b)" at REQUEST_HEADERS:Cookie. [id "50004"] [msg "Cross-site Scripting (XSS) Attack"] [severity "WARNING"] Stopwatch: 1168978713435236 735698 (233 2539 -) Producer: ModSecurity v2.0.3 (Apache 2.x) Server: Apache/2.0.52 (CentOS) --674ddd71-Z-- =20 ________________________________ TV dinner still cooling? Check out "Tonight's Picks" <http://us.rd.yahoo.com/evt=3D49979/*http:/tv.yahoo.com/> on Yahoo! TV. |
