search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 727 forks source link

Netscaler ns-client-ip false positive - 941100 libinjection #967

Closed brianp9906 closed 7 years ago

brianp9906 commented 7 years ago

Our load balancer (Citrix Netscaler) appends a header "NS-Client-IP" to HTTP requests to track the true source IP from the web request. ModSecurity is flagging this as an issue and the matched data doesnt make any sense, so it appears to be a bug.

[Tue Nov 21 01:32:14 2017] [error] [client 10.1.1.1] ModSecurity: Warning. detected XSS using libinjection. [file "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: ns-client-ip found within ARGS:gid: Bp5TvJc0Anl onZWXteReQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "xxxx"] [uri "xxxx"] [unique_id "WhPyngoh4iwAAPQUhR4AAAAF"]

The modsec audit log shows the request like this:

`[21/Nov/2017:01:32:15 --0800] WhPyngoh4iwAAPQUhR4AAAAF 10.1.1.1 14220 10.1.2.1 443 --6fad0e14-B-- POST /url/path HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows; Trident/4.0) Accept-Encoding: gzip, deflate Accept: / Connection: Keep-Alive Host: XXXX Content-Length: 1454 NS-Client-IP: 10.1.1.250

--6fad0e14-C-- [stuff before]&gid=Bp5TvJc0Anl%2BonZWXteReQ%3D%3D&[stuff after]

--6fad0e14-F-- HTTP/1.0 200 OK Content-Length: 24740 Connection: close Content-Type: text/html;charset=UTF-8 `

lifeforms commented 7 years ago

Hi! This alert is triggered because of the onZWXteReQ string which is seen by libinjection as a generic HTML event handler attribute. It's been discussed earlier in #820 and #663.

It should hopefully have been addressed in libinjection by https://github.com/client9/libinjection/pull/118, but I am NOT sure if this newest libinjection version is already bundled with ModSecurity.

In any case, if you are running a ModSecurity version below 2.9.2, please try updating to ModSecurity 2.9.2 first.

If it is still present in ModSecurity 2.9.2, then ModSecurity should update its bundled libinjection library. In that case, please open an issue on the https://github.com/SpiderLabs/ModSecurity issue tracker, and then hopefully it will be addressed in ModSecurity 2.9.3.

For now, you can temporarily add an exclusion for the gid query parameter like:

SecAction \
    "id:12345,phase:1,t:none,nolog,pass,\
        ctl:ruleRemoveTargetById= 941100;ARGS:gid"
victorhora commented 6 years ago

@lifeforms I'm afraid this hasn't been fixed in libInjection yet. Please see https://github.com/SpiderLabs/ModSecurity/issues/1723#issuecomment-420853197

lifeforms commented 6 years ago

@victorhora You are right, it's still an issue in libinjection it seems. I'll close this issue since we already have #820 which is the same issue. I'll keep that bug open to keep track of it. Thanks!