Thread: [mod-security-users] Mod_Security Wordpress False Positives
Brought to you by:
victorhora,
zimmerletw
From: Devin A <de...@pa...> - 2021-07-21 15:56:12
|
I am rather new to Mod_Security, I have enabled the mod_security rules within HAProxy and I have Wordpress sites behind my load balancer. I am confused on why I have quite a few false positives still being activated. In my crs-setup.conf: SecAction \ "id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_wordpress=1” I see that in the REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf, I have quite a few rules in there that look like appropriate Wordpress exclusions, however when I have users trying to edit/post messages to Wordpress rules are still being fired. From what I can see in the logs, it appears Rule 941100 is constantly being triggered. Is there a rule that I am missing in the exclusions that isn’t there by default? Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs ModSecurity: Warning. detected XSS using libinjection. [file "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <span style="font-weight: 400;">Let's be totally honest here for a minute! At this moment in the digital evolution, your credit union website should d (4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"] [unique_id "162688020249.349253"] [ref "v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `ARGS:content' (Value: `<span style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a minute! At this moment (4613 characters omitted)' ) [file "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's be totally honest here for a minute! At this moment in the digital evolution, your credit union website should do a lot more for you than just looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"] [unique_id "162688020249.349253"] [ref "o0,544v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs [client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"] [unique_id "162688020249.349253"] [ref ""] Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827 [21/Jul/2021:08:10:04.023] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1 403 197 - - PH-- - 330/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==| https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36} "POST https://www.mydomain.com/wp-admin/admin-ajax.php HTTP/2.0" Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs ModSecurity: Warning. detected XSS using libinjection. [file "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <span style="font-weight: 400;">Let's be totally honest here for a minute! At this moment in the digital evolution, your credit union website should d (4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"] [unique_id "162688020416.416944"] [ref "v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `ARGS:content' (Value: `<span style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a minute! At this moment (4613 characters omitted)' ) [file "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's be totally honest here for a minute! At this moment in the digital evolution, your credit union website should do a lot more for you than just looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"] [unique_id "162688020416.416944"] [ref "o0,544v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs [client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"] [unique_id "162688020416.416944"] [ref ""] Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827 [21/Jul/2021:08:10:04.285] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1 403 197 - - PH-- - 333/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==| https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36} "POST https://www.mydomain.com/wp-admin/post.php HTTP/2.0” Appreciate your help and assistance on this.. Devin Acosta |
From: <az...@po...> - 2021-07-22 04:20:26
|
Hi Devin, WordPress exclusion package was created only for vanilla WordPress i.e. is does not work with plugins - your problem is, probably, related to some plugin. I can help you more if you can provide me with full log of the blocked request. azur Citát Devin A <de...@pa...>: > I am rather new to Mod_Security, I have enabled the mod_security rules > within HAProxy and I have Wordpress sites behind my load balancer. I am > confused on why I have quite a few false positives still being activated. > > In my crs-setup.conf: > > SecAction \ > "id:900130,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:tx.crs_exclusions_wordpress=1” > > I see that in the REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf, I have > quite a few rules in there that look like appropriate Wordpress exclusions, > however when I have users trying to edit/post messages to Wordpress rules > are still being fired. From what I can see in the logs, it appears Rule > 941100 is constantly being triggered. Is there a rule that I am missing in > the exclusions that isn’t there by default? > > Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs > ModSecurity: Warning. detected XSS using libinjection. [file > "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] > [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via > libinjection"] [data "Matched Data: XSS data found within ARGS:content: > <span style="font-weight: 400;">Let's be totally honest here for a minute! > At this moment in the digital evolution, your credit union website should d > (4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] > [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag > "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname > "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"] > [unique_id "162688020249.349253"] [ref > "v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] > > Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs > ModSecurity: Warning. Matched "Operator `Rx' with parameter > `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d > (3146 characters omitted)' against variable `ARGS:content' (Value: `<span > style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a > minute! At this moment (4613 characters omitted)' ) [file > "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] > [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: > HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's > be totally honest here for a minute! At this moment in the digital > evolution, your credit union website should do a lot more for you than just > looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] > [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag > "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname > "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"] > [unique_id "162688020249.349253"] [ref > "o0,544v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] > > Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs > [client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2). > Matched "Operator `Ge' with parameter `5' against variable > `TX:ANOMALY_SCORE' (Value: `10' ) [file > "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded > (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] > [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname > "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"] > [unique_id "162688020249.349253"] [ref ""] > > Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827 > [21/Jul/2021:08:10:04.023] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1 > 403 197 - - PH-- - 330/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==| > https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0 > (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/91.0.4472.114 Safari/537.36} "POST > https://www.mydomain.com/wp-admin/admin-ajax.php HTTP/2.0" > > Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs > ModSecurity: Warning. detected XSS using libinjection. [file > "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] > [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via > libinjection"] [data "Matched Data: XSS data found within ARGS:content: > <span style="font-weight: 400;">Let's be totally honest here for a minute! > At this moment in the digital evolution, your credit union website should d > (4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] > [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag > "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname > "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"] > [unique_id "162688020416.416944"] [ref > "v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] > Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs > ModSecurity: Warning. Matched "Operator `Rx' with parameter > `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d > (3146 characters omitted)' against variable `ARGS:content' (Value: `<span > style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a > minute! At this moment (4613 characters omitted)' ) [file > "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] > [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: > HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's > be totally honest here for a minute! At this moment in the digital > evolution, your credit union website should do a lot more for you than just > looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] > [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag > "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname > "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"] > [unique_id "162688020416.416944"] [ref > "o0,544v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] > > Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs > [client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2). > Matched "Operator `Ge' with parameter `5' against variable > `TX:ANOMALY_SCORE' (Value: `10' ) [file > "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded > (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] > [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname > "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"] > [unique_id "162688020416.416944"] [ref ""] > > Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827 > [21/Jul/2021:08:10:04.285] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1 > 403 197 - - PH-- - 333/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==| > https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0 > (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/91.0.4472.114 Safari/537.36} "POST > https://www.mydomain.com/wp-admin/post.php HTTP/2.0” > > > Appreciate your help and assistance on this.. > > Devin Acosta |
From: <877...@qq...> - 2021-08-10 11:13:37
|
as the title: FREE_TEXT_QUOTE_MACRO_EXPANSION (([^%'])|([^\\][\\][%][{])|([^\\]([\\][\\])+[\\][%][{])|[^\\][\\][']|[^\\]([\\][\\])+[\\]['])+ |