owasp-modsecurity-crs icon indicating copy to clipboard operation
owasp-modsecurity-crs copied to clipboard

Published 20 hours ago verified publisher icon SpiderLabs

XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie

Open frankyhun opened this issue 4 years ago • 4 comments

Description

libinjection detects XSS Attack in the AWS AWSALBCORS Cookie, and blocks harmless requests.

Audit Logs / Triggered Rule Numbers

---O4A1GJgF---A-- [30/Mar/2020:04:26:00 +0000] 158554236078.061819 <SCR ID> 0 <INT IP> <PORT> ---O4A1GJgF---B-- POST /oauth/token HTTP/1.1 Accept: application/json, application/*+json X-Span-Name: https:/oauth/token Content-Length: 94 b3: 779cec51b5c99a01-779cec51b5c99a01-0 X-Forwarded-Port: 443 X-Amzn-Trace-Id: Root=1-5e8174d8-9f586f0037986e007de2cf80 Authorization: Basic <BASIC TOKEN> Host: <URL> X-B3-SpanId: 779cec51b5c99a01 Content-Type: application/x-www-form-urlencoded X-Forwarded-Proto: https User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_212) X-Forwarded-For: <SCR ID> X-B3-TraceId: 779cec51b5c99a01 X-B3-Sampled: 0 Cookie: AWSALB=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==; AWSALBCORS=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA== Accept-Encoding: gzip,deflate

---O4A1GJgF---F-- HTTP/1.1 403 Server: nginx Date: Mon, 30 Mar 2020 04:26:00 GMT Connection: keep-alive

---O4A1GJgF---A-- [30/Mar/2020:04:26:00 +0000] 158554236078.061819 <SCR ID> 0 <INT IP> <PORT>

---O4A1GJgF---B-- POST /oauth/token HTTP/1.1 Accept: application/json, application/*+json X-Span-Name: https:/oauth/token Content-Length: 94 b3: 779cec51b5c99a01-779cec51b5c99a01-0 X-Forwarded-Port: 443 X-Amzn-Trace-Id: Root=1-5e8174d8-9f586f0037986e007de2cf80 Authorization: Basic <BASIC TOKEN> Host: <URL> X-B3-SpanId: 779cec51b5c99a01 Content-Type: application/x-www-form-urlencoded X-Forwarded-Proto: https User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_212) X-Forwarded-For: <SCR ID>

X-B3-TraceId: 779cec51b5c99a01 X-B3-Sampled: 0 Cookie: AWSALB=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==; AWSALBCORS=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA== Accept-Encoding: gzip,deflate

---O4A1GJgF---F-- HTTP/1.1 403 Server: nginx Date: Mon, 30 Mar 2020 04:26:00 GMT Connection: keep-alive

---O4A1GJgF---H-- ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/nginx/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within REQUEST_COOKIES:AWSALBCORS: PWOhL14py8Wi FMWQxerjk4XFirhKd457flcD 95U90WpVH1VOdwKE/HeJ 3Mjfd4Tt861Hh vY7cEYSPJ0I1xs 3XaXNZtlpTFCDCJd7psj/K7Hbb T THELV3ISsCQ1is4wS4m (56 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "<INT IP>"] [uri "/oauth/token"] [unique_id "158554236078.061819"] [ref "v662,192t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv867,192t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

---O4A1GJgF---I--

---O4A1GJgF---J--

---O4A1GJgF---K--

---O4A1GJgF---Z--

Your Environment

  • CRS version: CRS 3.2.0
  • Paranoia level setting: 1
  • ModSecurity version: 3.0.4
  • Web Server and version: nginx 1.17.8
  • Operating System and version: Amazon linux 2

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

frankyhun avatar Mar 31 '20 15:03 frankyhun

As the cookie arrives at libinjection it is reformatted as:

REQUEST_COOKIES:AWSALBCORS: PWOhL14py8Wi FMWQxerjk4XFirhKd457flcD 95U90WpVH1VOdwKE/HeJ 3Mjfd4Tt861Hh vY7cEYSPJ0I1xs 3XaXNZtlpTFCDCJd7psj/K7Hbb T THELV3ISsCQ1is4wS4m ...

So the + sign is replaced with spaces.

Libinjection xss detects Ong1VE1igIhX7bSV9ylSA== as black attribute in the method is_black_attr, because it's length is >= 5, and begins with ON (case insensitive).

frankyhun avatar Apr 29 '20 09:04 frankyhun

Looks like exactly this change should have fixed this issue: https://github.com/client9/libinjection/pull/118/commits/ceb2895a3afe42f216cc0ba9457030f6c86310a0

frankyhun avatar Apr 29 '20 14:04 frankyhun

Is the libinjection project abandoned? If the request https://github.com/client9/libinjection/pull/143 would me merged, the issue would be solved.

frankyhun avatar Apr 29 '20 14:04 frankyhun

@zimmerle, @martinhsv: looks like you have to maintain libinjection by your own

frankyhun avatar Apr 29 '20 15:04 frankyhun