Page URL can trigger false-positive XSS detection

[matthias-ronge]

I want to leave this here for documentation purposes and in case it becomes a problem more often. The usual solution here is to remove Production from the monitoring (i.e., whitelist it).

Describe the bug When you click the Create Process button, the server displays error message page 403: Forbidden.

To Reproduce Steps to reproduce the behavior:

1. Go to projects page
2. Click new process (big blue plus button)

Expected behavior The selection box for production template selection should appear.

Screenshots

Additional context

From the firewall log:

[Tue Jul 02 12:53:44.334366 2024] [security2:error] [pid 25559:tid 139879434385152] [client (... IP ...):59938] [client (... IP ...)] ModSecurity: Warning. Pattern match "(?i)[\\\\s\\\\S](?:!ENTITY\\\\s+(?:\\\\S+|%\\\\s+\\\\S+)\\\\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\\\\/html|pattern\\\\b.*?=|formaction|\\\\@import|;base64)\\\\b" at ARGS:referrer. [file "/usr/apache/conf/waf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "139"] [id "941130"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: .xhtml found within ARGS:referrer: /pages/desktop.xhtml"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.3"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "(... FQDN ...)"] [uri "/kitodo/pages/processFromTemplate.jsf"] [unique_id "ZoP4WE2Q6uTvc8AUknx_VgAAAc0"], referer: https://(... FQDN ...)/kitodo/pages/desktop.jsf
[Tue Jul 02 12:53:44.335028 2024] [security2:error] [pid 25559:tid 139879434385152] [client (... IP ...):59938] [client (... IP ...)] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/apache/conf/waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.3"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "(... FQDN ...)"] [uri "/kitodo/pages/processFromTemplate.jsf"] [unique_id "ZoP4WE2Q6uTvc8AUknx_VgAAAc0"], referer: https://(... FQDN ...)/kitodo/pages/desktop.jsf
[Tue Jul 02 12:53:44.335151 2024] [security2:error] [pid 25559:tid 139879434385152] [client (... IP ...):59938] [client (... IP ...)] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.3"] [tag "event-correlation"] [hostname "(... FQDN ...)"] [uri "/kitodo/pages/processFromTemplate.jsf"] [unique_id "ZoP4WE2Q6uTvc8AUknx_VgAAAc0"], referer: https://(... FQDN ...)/kitodo/pages/desktop.jsf
[Tue Jul  2 12:53:44.332851 2024] timestamp="1719924824" srcip="(... IP ...)" localip="(... IP ...)" user="-" method="GET" statuscode="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" exceptions="-" duration="2334" url="/kitodo/pages/processFromTemplate.jsf" server="(... FQDN ...)" referer="https://(... FQDN ...)/kitodo/pages/desktop.jsf" cookie="JSESSIONID=806630A50A052FEEB99C23A106E70CDF; oam.Flash.RENDERMAP.TOKEN=-8i9nzvqtj" set-cookie="-" recvbytes="809" sentbytes="429" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0" querystring="?faces-redirect=true&templateId=4&projectId=3&referrer=/pages/desktop.xhtml" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="160"

The mentioned rule file versions are located: https://github.com/coreruleset/coreruleset/tree/6f2333b17231198fa98717781737359faf5284da/rules See also: https://owasp.org/www-project-modsecurity-core-rule-set/