Christian Folini
Christian Folini
The thread is about ~ "How do you prove an XSS when script-alert is blocked by a WAF". So these are all ways to evade detection. You can say they...
If we are 100% sure we detect every injection technique, then we're fine. If we think there might be evasions, then adding additional patterns that could indicate code may be...
I see little need to change CRS and having CrowdSec users install a plugin is kind of annoying. So I think CrowdSec should update. But leaving this open so we...
Don't change the HTTP status code. If fail2ban is the reason, you should not work on the access log, but on the error log and the pattern you want to...
Then the service is clearly misconfigured. If you do not see 949110, then it probably was not blocking in the first case. I am running fail2ban personally, but I would...
Sorry for the inconvenience and thanks for reporting @joshi-mohit. Please share the entire alert messages / error log for your request as well as the engine version and the CRS...
Thank you. I confirm the false positive: ``` [2024-03-27 21:19:39.464523] [security2:error] 127.0.0.1:53742 ZgR_WwWq4ZvthzF9IUUbegAAAAA [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\\\s\\\\x0b]+(?:char|group_concat|load_file)\\\\b[\\\\s\\\\x0b]*\\\\(?|end[\\\\s\\\\x0b]*?\\\\);)|[\\\\s\\\\x0b\\\\(]load_file[\\\\s\\\\x0b]*?\\\\(|[\\"'`][\\\\s\\\\x0b]+regexp[^0-9A-Z_a-z]|[\\"'0-9A- ..." at ARGS:value. [file "/home/dune73/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "488"] [id "942360"] [msg...
It's in fact not the unicode at all. Here is the minimal payload: ``` $ curl -X POST -H "Content-Type: application/json" -d '{"key": "recent_search", "value": " update 1"}' localhost ```...
Could you rename the issue, please, @joshi-mohit.
We'll look into the pattern to see if we can work around the false positive, since your payload sounds fairly natural and nothing overly dangerous. As for getting the minimal...