Open manuelroccon opened 4 years ago
False positive
Issue with Wordpress JetPack plugin
--a8dd7334-A-- [11/Apr/2020:15:19:23 +0300] XpG1y2B9vAtGdcg7i3j4AAAAEE 192.0.101.214 1088 123.123.123.123 443 --a8dd7334-B-- POST /?for=jetpack&jetpack=comms&token=×tamp=&nonce=&body-hash=&signature=%3D HTTP/1.1 Host: www.domain.com User-Agent: Jetpack by WordPress.com Accept: / Accept-Encoding: deflate, gzip Referer: https://www.domain.com/?for=jetpack&jetpack=comms&token=×tamp=&nonce=&body-hash= Authorization: X_JETPACK token="" timestamp="" nonce="" body-hash="=" signature="=" Connection: close Content-Length: 114 Content-Type: application/x-www-form-urlencoded
--a8dd7334-C-- <?xml version="1.0"?>
--a8dd7334-F-- HTTP/1.1 403 Forbidden X-Powered-By: PHP/7.3.16 Cache-Control: no-cache Content-Encoding: gzip Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
--a8dd7334-H-- Message: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/index.php"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"] Action: Intercepted (phase 2) Apache-Handler: proxy:fcgi://php-fpm Stopwatch: 1586607563182272 11167 (- - -) Stopwatch2: 1586607563182272 11167; combined=3345, p1=553, p2=2622, p3=0, p4=0, p5=170, sr=70, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Engine-Mode: "ENABLED"
--a8dd7334-Z--
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Type of Issue
False positive
Description
Issue with Wordpress JetPack plugin
Audit Logs / Triggered Rule Numbers
--a8dd7334-A-- [11/Apr/2020:15:19:23 +0300] XpG1y2B9vAtGdcg7i3j4AAAAEE 192.0.101.214 1088 123.123.123.123 443 --a8dd7334-B-- POST /?for=jetpack&jetpack=comms&token=×tamp=&nonce=&body-hash=&signature=%3D HTTP/1.1 Host: www.domain.com User-Agent: Jetpack by WordPress.com Accept: / Accept-Encoding: deflate, gzip Referer: https://www.domain.com/?for=jetpack&jetpack=comms&token=×tamp=&nonce=&body-hash= Authorization: X_JETPACK token="" timestamp="" nonce="" body-hash="=" signature="=" Connection: close Content-Length: 114 Content-Type: application/x-www-form-urlencoded
--a8dd7334-C-- <?xml version="1.0"?>
--a8dd7334-F-- HTTP/1.1 403 Forbidden X-Powered-By: PHP/7.3.16 Cache-Control: no-cache Content-Encoding: gzip Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
--a8dd7334-H-- Message: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/index.php"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"] Action: Intercepted (phase 2) Apache-Handler: proxy:fcgi://php-fpm Stopwatch: 1586607563182272 11167 (- - -) Stopwatch2: 1586607563182272 11167; combined=3345, p1=553, p2=2622, p3=0, p4=0, p5=170, sr=70, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Engine-Mode: "ENABLED"
--a8dd7334-Z--
Your Environment
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.