Hi,
We have a secrule like this :
'SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*(" \
"phase:2,rev:'2.0.10',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"'
When user supplies url like this :
Its not being blocked. Please suggest
You have the pass,nolog attributes in the SecRule. If you want to block the request, change the pass,nolog to deny,log and it will block the request as well as generate the audit log.
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*("
"phase:2,rev:'2.0.10',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,deny,log,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
Hi
Here anamaly scoring mode is followed :
setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
Can we see these values/debug these values some where ...
At the end some rule like this needs to be written
SecRule TX:PM_XSS_SCORE "@eq 0" "phase:2,t:none,deny,status:406,skipAfter:END_XSS_CHECK,nolog"
We are using :
"ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); core ruleset/1.6.1"
Also can we get the modsecurity_crs_41_xss_attacks.conf file source ?
Hi @venkibits,
The variable values can be seen at the DebugLogs:
SecDebugLog /tmp/a.txt
SecDebugLogLevel 9
The OWASP CRS is a separated project and can be found here:
https://github.com/SpiderLabs/owasp-modsecurity-crs