941160 - false positive?

[quenenni]

Hello,

941160 = [NoScript InjectionChecker] HTML injection (REQUEST-941-APPLICATION-ATTACK-XSS.conf)

If you have this kind of data in the arg values of your request, this rule is triggered:

%3Cimg+ 
<img+ (after transformation by the rule)

It comes from this part of the rule

\W*?i\W*?m\W*?a?\W*?g\W*?e?

As the 'a' is not compulsory, img is triggered.

That seems a bit strict. For an arg, that value seems quite appropriate. For a cookie or a header (also in the rule definition), maybe that's not normal.

But I wonder how is it only now that I notice that. There should be plenty of such situations.

Can it be because of the number of pattern occurrence found in the arg value? It found 2 times "<img+" and 2 times "<!--+meta+" That makes 4 bad occurrences in one arg.

Tested with CRS rules v3.0.2

[csanders-git]

i'm not sure how common a plus after a tag name is. Where are you seeing this, if oyu can share?

[quenenni]

So that was the + the problem. I thought a space in a arg value was transformed into a + when sanitizing and back to a space after. Doesn't urlDecodeUni do that thing?

My main problem is to understand how to transform back the data (before trying to understand the problem with the rule). I mean, for this rule, you have this: t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode, That's a lot of transformations.

Do you know an easy technique to transform back the data? A website / a soft / a script that can do that?

Ps: In this example, I don't know from where the + comes, but it was a legit code.

[quenenni]

here is (part of ) the message arg that triggered that rule: (PS: it was a request from Roundcube) &_message=%3Cp%3E%26agrave%3B+partir+de+9h00%3C%2Fp%3E%0D%0A%3Cp%3EMerci+beaucoup+xxx%3C%2Fp%3E%0D%0A%3Cp%3EZZZZ%3C%2Fp%3E%0D%0A%3Cdiv+id%3D%22_rc_sig%22%3E%0D%0A%3Cp%3E%3Ca+title%3D%22www.xxx.be%22+href%3D%22http%3A%2F%2Fwww.xxxx.be%22%3E+%3Cimg+src%3D%22http%3A%2F%2Fwww.xxxx.be%2Fsignature-mail%2FImgSignatureMail.png%22+alt%3D%22Signature+Mail+XXXX%22+%2F%3E%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cp%3ELe+2018-05-11+23%3A03%2C+Yyyy+a+%26eacute%3Bcrit%26nbsp%3B%3A%3C%2Fp%3E%0D%0A%3Cblockquote%3E%3C%21--+html+ignored+--%3E%3C%21--+head+ignored+--%3E%3C%21--+meta+ignored+--%3E%3C%21--+meta+ignored+--%3E%3C%21--+node+type+8+--%3E%3C%21--+node+type+8+--%3E%3C%21--+node+type+8+--%3E%0D%0A%3Cdiv+class%3D%22WordSection1%22%3E%0D%0A%3Cp+class%3D%22MsoNormal%22%3E%3Cspan+style%3D%22mso-fareast-language%3A+EN-US%3B%22%3E You'll find 1 <img+ and the 2 +meta+

For privacy concern, I won't put here the full log, but I can send it to you if you want to.

[spartantri]

Hi @quenenni ,

By definition you are doing code injection your log decoded payload contains a bunch of html this will trigger several other rules not only 941160 in this kind of content you will have to white-list it for all problematic rules, as this is apparently a open text html formatted payload you will have troubles depending on what the user enters in it, make sure your app validates this really well as you will be opening many holes in the rule set.

Sample white-listing rule: SecRule REQUEST_URI "@rx ^/yourURI/blah.php$" "id:1,phase:2,pass,nolog,noauditlog,ctl:ruleRemoveTargetById=941160;ARGS:_message"

Your decoded payload:

&_message=<p>à partir de 9h00</p>

<p>Merci beaucoup xxx</p>

<p>ZZZZ</p>

<div id="_rc_sig">

<p><a title="www.xxx.be" href="http://www.xxxx.be"> <img src="http://www.xxxx.be/signature-mail/ImgSignatureMail.png" alt="Signature Mail XXXX" /></a></p>

</div>

<p>Le 2018-05-11 23:03, Yyyy a écrit :</p>

<blockquote><!-- html ignored --><!-- head ignored --><!-- meta ignored --><!-- meta ignored --><!-- node type 8 --><!-- node type 8 --><!-- node type 8 -->

<div class="WordSection1">

<p class="MsoNormal"><span style="mso-fareast-language: EN-US;">

Cheers!

[csanders-git]

The order that transformations occur is right to left, there is no nice tool that untransforms, sorry :(

[quenenni]

Thanks for your help.

@csanders-git Hoo.. Good tip. Thanks.

@spartantri Amazing! I didn't know I could modify a rule like that, removing an id only for a parameter. Thanks for the example.

Can you tell me how did you transform back the text? Do you have a script or something like that? I'd be very happy to have a way to do that myself.

For the moment, I use an online site that do an UrlDecode for me, but it's only a part of what I need (http://www.blooberry.com/indexdot/html/topics/urlencoding.htm).

And I use this website https://regex101.com/ to test the regexp and the text.

It works sometimes, depending of the transformations used on the text. But it's a poor way to do that I feel. there must be more efficient way to do that.

[spartantri]

Just read the reference manual there are answers for everything you need, and/or get Christian Folini/Ivan Ristic or Ryan Barnett books.

As for the decoding there are many ways, I prefer either:

• decoder tab in burpsuite (free version is ok for basic stuff), just cp your payload select from the decode as drop down menu "url decode" to do the other way around just put the clear text then select from the encode as drop down menu "url encode".

• cyberchef you can download it and use it offline, very cool and free, just select operations put them in order, paste the payload and "bake it".

• python for custom stuff not possible with previous two.

Cheers!

[quenenni]

That's great infos. Thanks.