search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.31k stars 1.61k forks source link

Netscaler ns-client-ip false positive - 941100 libinjection #1723

Closed ghost closed 6 years ago

ghost commented 6 years ago

Our load balancer (Citrix Netscaler) appends a header "NS-Client-IP" to HTTP requests to track the true source IP from the web request. ModSecurity is flagging this as an issue and the matched data doesnt make any sense, so it appears to be a bug.

[Tue Nov 21 01:32:14 2017] [error] [client 10.1.1.1] ModSecurity: Warning. detected XSS using libinjection. [file "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: ns-client-ip found within ARGS:gid: Bp5TvJc0Anl onZWXteReQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "xxxx"] [uri "xxxx"] [unique_id "WhPyngoh4iwAAPQUhR4AAAAF"]

The modsec audit log shows the request like this:

`[21/Nov/2017:01:32:15 --0800] WhPyngoh4iwAAPQUhR4AAAAF 10.1.1.1 14220 10.1.2.1 443 --6fad0e14-B-- POST /url/path HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows; Trident/4.0) Accept-Encoding: gzip, deflate Accept: / Connection: Keep-Alive Host: XXXX Content-Length: 1454 NS-Client-IP: 10.1.1.250

--6fad0e14-C-- [stuff before]&gid=Bp5TvJc0Anl%2BonZWXteReQ%3D%3D&[stuff after]

--6fad0e14-F-- HTTP/1.0 200 OK Content-Length: 24740 Connection: close Content-Type: text/html;charset=UTF-8 `

ghost commented 6 years ago

Originally reported here: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/967

ghost commented 6 years ago

We confirmed the same issue in ModSecurity 2.9.2 release also.

victorhora commented 6 years ago

Hi @BP9906

Thanks for your report. But it seems like the issue is not with ModSecurity but rather with libInjection.

I've written a very simple code (libinjection_xss_test.c) to check this input against the latest codebase of libInjection and the FP still exists:

image

So unless some of those pull requests or issues already fixes / covers this false positive, there's not much we can do on ModSecurity's side.

That being said, please let us know if you would like to help with this case by reporting the issue to libInjection's issue tracker and we can work together with the community to hopefully getting this fixed in a future release.