Yii2: CSRF token sometimes triggers ModSecurity when using OWASP CRS
Sometimes form submissions are blocked due to CSRF token triggering OWASP CRS ModSecurity:
ModSecurity: Warning. detected XSS using libinjection. [file "/etc/apache/common/security/crs.d/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "59"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:_csrf: oNBSV4VsVN6GpEtKwGjIE6zANwL5dgarTwnY2Kln7xqSmz0txjsSqMSRCieMCplj1ph_QKoEVep3YbWIxgXXeQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
ModSecurity: Warning. Pattern match "(?i)[\\\\s\\"'`;\\\\/0-9=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on[a-zA-Z]+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=" at ARGS:_csrf. [file "/etc/apache/common/security/crs.d/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "120"] [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 9ONKQ= found within ARGS:_csrf: 9wVDZHsHXitOSpklrY4LGM_mtKcfUwuwU3SlgjCxtUrFTiweOFAYXQx_2Ejh7Fpotb785UwhWPFrHMjSX9ONKQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Additional info
| Q | A
| ---------------- | ---
| Yii version | 2.0.39.3
| PHP version | 7.4
| Operating system | Linux
stevekr
All 8 comments
Thanks for posting in our issue tracker.
In order to properly assist you, we need additional information:
- When does the issue occur?
- What do you see?
- What was the expected result?
- Can you supply us with a stacktrace? (optional)
- Do you have exact code to reproduce it? Maybe a PHPUnit tests that fails? (optional)
Thanks!
_This is an automated comment, triggered by adding the label status:need more info._
yii-bot
on 11 Dec 2020
For example CSRF token
9wVDZHsHXitOSpklrY4LGM_mtKcfUwuwU3SlgjCxtUrFTiweOFAYXQx_2Ejh7Fpotb785UwhWPFrHMjSX9ONKQ=
matches pattern
(?i)[\s\\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=
but it should should be generated in a way that is always safe.
stevekr
on 11 Dec 2020
I don't think we can support all the OWASP rules, since they are also subject to change and the patterns are very often not really understandable.
schmunk42
on 11 Dec 2020
This OWASP rule seems a bit to general in my opinion.
It matches this: 9ONK= from the example posted .
https://regex101.com/r/vBZQ9M/1/
My6UoT9
on 11 Dec 2020
This seems related coreruleset/coreruleset#1867
stevekr
on 11 Dec 2020
Based on the sample, it seems that the error is in XSS detection. I don't see actual XSS here.
samdark
on 11 Dec 2020
Based on the sample, it seems that the error is in XSS detection. I don't see actual XSS here.
We recently finished a project with an Azure Application Gateway which also uses OWASP rules.
Basically it's a huge bunch of regex to detect anomalies, but it's not really predictable.
Rules are likely to be generated from exisiting "hacking" attempts, but, like in this case it's just too generic.
schmunk42
on 11 Dec 2020
I don't think there's anything to fix from our side.
samdark
on 15 Dec 2020
Related issues
AstRonin
路
3Comments
sahifedp
路
3Comments
chaintng
路
3Comments
jpodpro
路
3Comments
wartur
路
3Comments
Most helpful comment
This seems related coreruleset/coreruleset#1867