Open canyon1991 opened 10 months ago
lifeforms
commented
10 months ago Dear @canyon1991 , your log entry appears to have a 200 (OK) status code. Is it possible you pasted the wrong line? In any case, we would need the full ModSecurity audit log entry in order to help you. By default, you can find this in /var/log/modsec_audit.log.
canyon1991
commented
10 months ago Like a dummy I posted the wrong line.
Server Log Entry:
"POST /wp-admin/admin-ajax.php HTTP/1.0" 403 3321 "https://xxxxxxxx/wp-admin/post.php?post=9&action=elementor"
From the Audit Log:
Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "98"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:actions: {\x22save_builder\x22:{\x22action\x22:\x22save_builder\x22,\x22data\x22:{\x22status\x22:\x22publish\x22,\x22elements\x22:[{\x22id\x22:\x226b339b9\x22,\x22elType\x22:\x22container\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{},\x22elements\x22:[{\x22id\x22:\x2238fc251\x22,\x22elType\x22:\x22widget\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{\x22editor\x22:\x22<p><span style=\x22color: #8f8f8f;\x22>C 2023 Des..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\s\\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9> ..." at ARGS:actions. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "217"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \x22save_builder\x22:{\x22action\x22:\x22save_builder\x22,\x22data\x22:{\x22status\x22:\x22publish\x22,\x22elements\x22:[{\x22id\x22:\x226b339b9\x22,\x22elType\x22:\x22container\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{},\x22elements\x22:[{\x22id\x22:\x2238fc251\x22,\x22elType\x22:\x22widget\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{\x22editor\x22:\x22<p><span style=\x22color: #8f8f8f;\x22>C 2023 Company Ltd | Registered in England No.xxxx.."] [severity "CRITICAL"] [ver "OWASP_CRS
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "186"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "anomaly-evaluation"]
Message: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=10, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "reporting"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xx.xxx.xx] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "98"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:actions: {\\\\x22save_builder\\\\x22:{\\\\x22action\\\\x22:\\\\x22save_builder\\\\x22,\\\\x22data\\\\x22:{\\\\x22status\\\\x22:\\\\x22publish\\\\x22,\\\\x22elements\\\\x22:[{\\\\x22id\\\\x22:\\\\x226b339b9\\\\x22,\\\\x22elType\\\\x22:\\\\x22container\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{},\\\\x22elements\\\\x22:[{\\\\x22id\\\\x22:\\\\x2238fc251\\\\x22,\\\\x22elType\\\\x22:\\\\x22widget\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{\\\\x22editor\\\\x22:\\\\x22<p><span style=\\\\x22color: #8f8f8f;\\\\x22>C 2023 xxxxxx..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "sandbox.mywebsite.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVJvFvWBfL52WMRYD0i2DwAAAA4"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xx.xxx.xx] ModSecurity: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\\\\\\\s\\\\\\\\v\\\\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9> ..." at ARGS:actions. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "217"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \\\\x22save_builder\\\\x22:{\\\\x22action\\\\x22:\\\\x22save_builder\\\\x22,\\\\x22data\\\\x22:{\\\\x22status\\\\x22:\\\\x22publish\\\\x22,\\\\x22elements\\\\x22:[{\\\\x22id\\\\x22:\\\\x226b339b9\\\\x22,\\\\x22elType\\\\x22:\\\\x22container\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{},\\\\x22elements\\\\x22:[{\\\\x22id\\\\x22:\\\\x2238fc251\\\\x22,\\\\x22elType\\\\x22:\\\\x22widget\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{\\\\x22editor\\\\x22:\\\\x22<p><span style=\\\\x22color: #8f8f8f;\\\\x22>C 2023 Company Ltd | Registered in England No.13..."] [severity "CRITICAL"] [ver "OWASP_CRS [hostname "sandbox.mywebsite.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVJvFvWBfL52WMRYD0i2DwAAAA4"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xx.xxx.xx] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "186"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "anomaly-evaluation"] [hostname "sandbox.mywebsite.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVJvFvWBfL52WMRYD0i2DwAAAA4"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xx.xxx.xx] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=10, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "reporting"] [hostname "sandbox.mywebsite.com"] [uri "/error/403.html"] [unique_id "ZVJvFvWBfL52WMRYD0i2DwAAAA4"]
Action: Intercepted (phase 2)
Stopwatch: 1699901206448869 27429 (- - -)
Stopwatch2: 1699901206448869 27429; combined=26618, p1=1041, p2=25339, p3=0, p4=0, p5=238, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/4.0.0-rc2.
Server: Apache/2.4.58 (Ubuntu) OpenSSL/3.0.2
Engine-Mode: "ENABLED"I was able to get my pages to save once I commented out these 2 rules:
-=[ Libinjection - XSS Detection ]=- (starts at the line 66 of /etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf)
&
-=[ NoScript XSS Filters ]=- (starts at the line 188 of /etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf)
I am out of my depth of this subject, so I don't know if these 2 rules are critical but for the time being, I am keeping them disabled - I guess it is better than turning off all the ModSecurity Rules.
The errors are still showing up on the audit log - even the commented-out rules, now I am even more confused. On other hand, more Apache-Errors compared to before.
Message: Warning. Pattern match "(?i)(?:t[\"\\^]*i[\"\\^]*m[\"\\^]*e|[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\v]*[\\s\\v\"'-\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:.*|[ \"'\\.-9A-Z\\x5c\\^-_a-z]*)\\x5c)?[\"\\^]*(>
Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "97"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data f>
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "186"] [id "949110"] [msg "Inbound Anomaly>
Message: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, thres>
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xxx.xx.xx] ModSecurity: Warning. Pattern match "(?i)(?:t[\\\\"\\\\\\\\^]*i[\\\\"\\\\\\\\^]*m[\\\\"\\\\\\\\^]*e|[\\\\\\\\n\\\\\\\\r;`\\\\\\\\{]|\\\\\\\\|\\\\\\\\|?|&&?>
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xx.xxx.xx.xxx] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "97"] [id >
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xx.xxx.xx.xxx] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/coreruleset/rules/R>
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 1xx.xxx.xx.xxx] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"]>
At least, I can save my files for now.
azurit
commented
10 months ago @canyon1991 Unfortunately, we don't support any WordPress plugins or themes. Anyway, try this exclusion rule:
SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
"id:9990399,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq elementor" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=941100;ARGS:actions,\
ctl:ruleRemoveTargetById=941160;ARGS:actions"
@azurit Thank you for sending this over and trying to help me and the anybody else that has the same issue.
I do understand your point of "we don't support any WordPress plugins or themes", but I believed the whole point of the "wordpress-rule-exclusions-plugin" was to help people that use WordPress not have issues in general. I understand that this issue is caused by a single plugin in my case, but surely there will be many other plugins in general that will have this issue too.
On a side note, on which file would I add this exclusion to?
azurit
commented
10 months ago The problem is just what you said - there are way too much plugins and it's really hard to support it. I'm running CRS with WordPress on my commercial services and we already have almost 400 exclusion rules for various WordPress plugins and themes, while new rules are added every week.
Put that rule into file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.
canyon1991
commented
10 months ago @azurit I understand it now. This might be a silly question but can't rules be made broader to avoid having too many false positives or would we be creating a lot of security holes? For example, on the rule you sent me, my understanding of it means this exception only applies to Elementor, but can't we just leave it open to all the other plugins? Or if we did this just creates massive security risks?
Are there any reliable resources I can use to learn how to create my own exclusions? Thanks to your exclusion, I was able to understand a little bit about it.
azurit
commented
10 months ago @canyon1991 Every rule was written to prevent a specific attack so it's probably not possible to make it less sensitive while still fully preventing a threat for which it was created.
Of course you can modify my exclusion rule and remove check for action parameter, so it will disable listed rules for every request to file /wp-admin/post.php but this will probably lower the CRS protection too much. Exclusion rules should be as tight as possible to not open more holes in the firewall as is needed.
Try looking at this.
canyon1991
commented
10 months ago @azurit I really appreciate your help with this.
canyon1991
commented
10 months ago I should keep this open until I tested it - to help someone else that encounters the same issue as I did.
@azurit - unfortunately, the except rule didn't work. I have been analysing the Audit Log and here are:
Messages:
--35c1b108-H--
Message: Warning. Pattern match "(?i)(?:t[\"\\^]*i[\"\\^]*m[\"\\^]*e|[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\v]*[\\s\\v\"'-\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:.*|[ \"'\\.-9A-Z\\x5c\\^-_a-z]*)\\x5c)?[\"\\^]*(?:a[\"\\^]*(?:c[\"\\^]*c[\"\\^]*c[\"\\^]*h[\"\\^ ..." at ARGS:actions. [file "/etc/modsecurity/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "800"] [id "932370"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: {\x22url found within ARGS:actions: {\x22c31\x22:{\x22action\x22:\x22render_widget\x22,\x22data\x22:{\x22data\x22:{\x22id\x22:\x2238fc251\x22,\x22elType\x22:\x22widget\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{\x22editor\x22:\x22<p><span style=\x5c\x22color: #8f8f8f;\x5c\x22>\xc2\xa9 2023 Company Ltd | Registered in England No.xxxxxxxxx - test</span></p>\x5cn<p><span style=\x5c\x22color: #ffffff;\x5c\x22><a style=\x5c\x22color: #ffffff;\x5c\x22 href=\x5c\x22#discla..."] [severity "CRITICAL"] [ver "OWA
Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "98"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:actions: {\x22c31\x22:{\x22action\x22:\x22render_widget\x22,\x22data\x22:{\x22data\x22:{\x22id\x22:\x2238fc251\x22,\x22elType\x22:\x22widget\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{\x22editor\x22:\x22<p><span style=\x22color: #8f8f8f;\x22>C 2023 Company Ltd | Registered in England No.xxxxxxxxx - test</span></p>\x0a<p><span style=\x22color: #ffffff;\x22><a style=\x22color: #ffffff;\x22 href=\x22#disclaimer\x22>Disclaimer</a></span> <span..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\s\\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9> ..." at ARGS:actions. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "217"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \x22c31\x22:{\x22action\x22:\x22render_widget\x22,\x22data\x22:{\x22data\x22:{\x22id\x22:\x2238fc251\x22,\x22elType\x22:\x22widget\x22,\x22isInner\x22:false,\x22isLocked\x22:false,\x22settings\x22:{\x22editor\x22:\x22<p><span style=\x22color: #8f8f8f;\x22>C 2023 Company Ltd | Registered in England No.xxxxxxxxx - test</span></p>\x0a<p><span style=\x22color: #ffffff;\x22><a style=\x22color: #ffffff;\x22 href=\x22#disclaimer\x22>Disclaimer</a></span> <span style=\x22color: #57b4a5;\x22>|</spa..."] [severity "CRITICAL"] [ver "OWASP_CRS
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "186"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "anomaly-evaluation"]
Message: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=15, detection=15, per_pl=15-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=10, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=15)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "reporting"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?i)(?:t[\\\\"\\\\\\\\^]*i[\\\\"\\\\\\\\^]*m[\\\\"\\\\\\\\^]*e|[\\\\\\\\n\\\\\\\\r;`\\\\\\\\{]|\\\\\\\\|\\\\\\\\|?|&&?)[\\\\\\\\s\\\\\\\\v]*[\\\\\\\\s\\\\\\\\v\\\\"'-\\\\\\\\(,@]*(?:[\\\\"'\\\\\\\\.-9A-Z_a-z]+/|(?:[\\\\"'\\\\\\\\x5c\\\\\\\\^]*[0-9A-Z_a-z][\\\\"'\\\\\\\\x5c\\\\\\\\^]*:.*|[ \\\\"'\\\\\\\\.-9A-Z\\\\\\\\x5c\\\\\\\\^-_a-z]*)\\\\\\\\x5c)?[\\\\"\\\\\\\\^]*(?:a[\\\\"\\\\\\\\^]*(?:c[\\\\"\\\\\\\\^]*c[\\\\"\\\\\\\\^]*c[\\\\"\\\\\\\\^]*h[\\\\"\\\\\\\\^ ..." at ARGS:actions. [file "/etc/modsecurity/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "800"] [id "932370"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: {\\\\x22url found within ARGS:actions: {\\\\x22c31\\\\x22:{\\\\x22action\\\\x22:\\\\x22render_widget\\\\x22,\\\\x22data\\\\x22:{\\\\x22data\\\\x22:{\\\\x22id\\\\x22:\\\\x2238fc251\\\\x22,\\\\x22elType\\\\x22:\\\\x22widget\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{\\\\x22editor\\\\x22:\\\\x22<p><span style=\\\\x5c\\\\x22color: #8f8f8f;\\\\x5c\\\\x22>\\\\xc2\\\\xa9 2023 Company Ltd | Registered in England No.xxxxxxxxx - test</span></p>\\\\x5cn<p><span style=\\\\x5c\\\\x22color: #ffffff;\\\\x5c\\\\x22><a style=\\\\x5c\\\\x22color: #ffffff;\\\\x5c\\\\x22 href=\\\\x5c\\\\x22#discla..."] [severity "CRITICAL"] [ver "OWA [hostname "sandbox.xxxxxxxx.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVNlcYmy6agDI_O6cg61JAAAAEY"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "98"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:actions: {\\\\x22c31\\\\x22:{\\\\x22action\\\\x22:\\\\x22render_widget\\\\x22,\\\\x22data\\\\x22:{\\\\x22data\\\\x22:{\\\\x22id\\\\x22:\\\\x2238fc251\\\\x22,\\\\x22elType\\\\x22:\\\\x22widget\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{\\\\x22editor\\\\x22:\\\\x22<p><span style=\\\\x22color: #8f8f8f;\\\\x22>C 2023 Company Ltd | Registered in England No.xxxxxxxxx - test</span></p>\\\\x0a<p><span style=\\\\x22color: #ffffff;\\\\x22><a style=\\\\x22color: #ffffff;\\\\x22 href=\\\\x22#disclaimer\\\\x22>Disclaimer</a></span> <span..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "sandbox.xxxxxxxx.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVNlcYmy6agDI_O6cg61JAAAAEY"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\\\\\\\s\\\\\\\\v\\\\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9> ..." at ARGS:actions. [file "/etc/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "217"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \\\\x22c31\\\\x22:{\\\\x22action\\\\x22:\\\\x22render_widget\\\\x22,\\\\x22data\\\\x22:{\\\\x22data\\\\x22:{\\\\x22id\\\\x22:\\\\x2238fc251\\\\x22,\\\\x22elType\\\\x22:\\\\x22widget\\\\x22,\\\\x22isInner\\\\x22:false,\\\\x22isLocked\\\\x22:false,\\\\x22settings\\\\x22:{\\\\x22editor\\\\x22:\\\\x22<p><span style=\\\\x22color: #8f8f8f;\\\\x22>C 2023 Company Ltd | Registered in England No.xxxxxxxxx - test</span></p>\\\\x0a<p><span style=\\\\x22color: #ffffff;\\\\x22><a style=\\\\x22color: #ffffff;\\\\x22 href=\\\\x22#disclaimer\\\\x22>Disclaimer</a></span> <span style=\\\\x22color: #57b4a5;\\\\x22>|</spa..."] [severity "CRITICAL"] [ver "OWASP_CRS [hostname "sandbox.xxxxxxxx.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVNlcYmy6agDI_O6cg61JAAAAEY"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "186"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "anomaly-evaluation"] [hostname "sandbox.xxxxxxxxxxx.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZVNlcYmy6agDI_O6cg61JAAAAEY"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=15, detection=15, per_pl=15-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=10, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=15)"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "reporting"] [hostname "sandbox.xxxxxxxxxxx.com"] [uri "/error/403.html"] [unique_id "ZVNlcYmy6agDI_O6cg61JAAAAEY"]
Action: Intercepted (phase 2)
Stopwatch: 1699964273147103 93793 (- - -)
Stopwatch2: 1699964273147103 93793; combined=92146, p1=3280, p2=88645, p3=0, p4=0, p5=221, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/4.0.0-rc2.
Server: Apache/2.4.58 (Ubuntu) OpenSSL/3.0.2
Engine-Mode: "ENABLED"Here is more information about the blocks:
SecRule "REQUEST_PROTOCOL" "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" "phase:1,log,auditlog,id:920180,block,t:none,msg:'POST without Content-Length or Transfer-Encoding headers',logdata:%{MATCHED_VAR},tag:applicatio>
SecRule "REQUEST_METHOD" "@streq POST" "chain"
#SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" "chain"
#SecRule "&REQUEST_HEADERS:Transfer-Encoding" "@eq 0" "setvar:tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}"
SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0$" "phase:1,log,auditlog,id:920340,pass,t:none,msg:'Request Containing Content, but Missing Content-Type header',tag:application-multi,tag:language-multi,tag:platform>
#SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "t:none,setvar:tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx ^[^;\\s]+" "phase:1,log,auditlog,id:920420,block,capture,t:none,msg:'Request content type is not allowed by policy',logdata:%{MATCHED_VAR},tag:application-multi,tag:langua>
#SecRule "TX:content_type" "!@within %{tx.allowed_request_content_type}" "t:lowercase,setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx charset\\s*=\\s*[\"']?([^;\"'\\s]+)" "phase:1,log,auditlog,id:920480,block,capture,t:none,msg:'Request content type charset is not allowed by policy',logdata:%{MATCHED_VAR>
#SecRule "TX:content_type_charset" "!@within %{tx.allowed_request_content_type_charset}" "t:lowercase,ctl:forceRequestBodyVariable=On,setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}"
SecRule "REQUEST_BASENAME" "@rx \\.([^.]+)$" "phase:1,log,auditlog,id:920440,block,capture,t:none,msg:'URL file extension is restricted by policy',logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platfor>
#SecRule "TX:EXTENSION" "@within %{tx.restricted_extensions}" "t:none,t:urlDecodeUni,t:lowercase,setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}"
SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:1,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_V>
#SecRule "TX:/^header_name_920450_/" "@within %{tx.restricted_headers_basic}" "setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}"
SecRule "REQUEST_FILENAME" "@endsWith /wp-admin/admin-ajax.php" "phase:2,auditlog,id:9507710,pass,t:none,nolog,ver:wordpress-rule-exclusions-plugin/1.0.1,chain"
#SecRule "ARGS:action" "@streq heartbeat" "t:none,chain"
#SecRule "&ARGS:action" "@eq 1" "t:none,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],ctl:ruleRemoveTargetById=941270;AR>
SecRule "REQUEST_HEADERS:Content-Type" "@rx ^(?i)application/x-www-form-urlencoded" "phase:2,log,auditlog,id:920240,block,t:none,msg:'URL Encoding Abuse Attack Attempt',logdata:%{MATCHED_VAR},tag:application-multi,t>
SecRule "REQUEST_BODY" "@rx \\x25" "chain"
#SecRule "REQUEST_BODY" "@validateUrlEncoding " "setvar:tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}"
SecRule "REQBODY_PROCESSOR" "!@streq JSON" "phase:2,log,auditlog,id:920540,block,t:none,msg:'Possible Unicode character bypass detected',logdata:%{MATCHED_VAR_NAME}=%{MATCHED_VAR},tag:application-multi,tag:language->
#SecRule "REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES" "@rx (?i)\\x5cu[0-9a-f]{4}" "setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}"
@canyon1991 Exclusion rule is ok but you sent a different data in this request so it triggered also another rule - 932370. Try to modify my rule and exclude also ID 932370.
canyon1991
commented
10 months ago @azurit I totally understand if you don't have too much time on your hands, but could you give me a brief idea/example how to read these things so in the future I can make my own exclusions without having to bother you and the other members of the community?
I really would like to learn, and I am happy to investigate things and make mistakes but if I know where to look, it makes things slightly easier.
azurit
commented
10 months ago @canyon1991 No, it's not about time, i just wanted to force you to learn it - it's easy. :)
First of all, look at the logs and identify which IDs were triggered by which GET/POST parameters, in your case:
... [line "800"] [id "932370"] [msg ... [data "Matched Data: {\x22url found within ARGS:actions: ... ... [line "98"] [id "941100"] [msg ... [data "Matched Data: XSS data found within ARGS:actions: ... ... at ARGS:actions. [file ... [line "217"] [id "941160"] [msg ... ... [line "186"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] ... ... [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=15, detection=15 ...
Second, add all combinations of triggered rule and argument/variable into exclusion rule using ctl:ruleRemoveTargetById=<ID>;<VARIABLE>. BEWARE: Never add rules which starts with 949 and 980 because these are score evaluation and blocking rules (so excluding them will disable firewall completely).
canyon1991
commented
10 months ago okay, I am going to try get something done and then post here for feedback :)
Thank you 👍
Ps: does that mean I shouldn't be add any exceptions for the last 2 lines you sent as an example?
dune73
commented
10 months ago @canyon1991 : I recommend you read our documentation and also read through the tutorials hosted at netnea.com. There is also a script (modsec-rulereport.rb) that allows you pipe rule alerts into and then received the finished rule exclusion. On top the script will refuse to exclude one of the delicate rules @azurit mentions.
azurit
commented
10 months ago Ps: does that mean I shouldn't be add any exceptions for the last 2 lines you sent as an example?
Yes, exactly.
azurit
commented
5 months ago @canyon1991 Were you able to write correct exclusion rule?
canyon1991
commented
5 months ago I haven't addressed it yet, but it's definitely on my radar to get done at some point once I have more time to invest on learning about MOD Security. For now, I am only using basic security measures that come out of the box with the services I use on top of extremely strict Cloudflare WAF rules.
Elementor Plugin
I am getting a 403 error when I try to save some changes that I made to my page using the html/text editor.
Server error Log:
"POST /wp-admin/admin-ajax.php HTTP/1.0" 200 943 "https://xxxxxxxxxx/wp-admin/post.php?post=9&action=elementor"
I will update this post if I find any more information.