search

tfrce / thedaywefightback.js

Add a banner to your site in opposition to mass surveillance on 02/11
https://thedaywefightback.org
GNU General Public License v3.0
232 stars 30 forks source link

Banner cookie triggers ModSecurity rule #100

Open strangecode opened 10 years ago

strangecode commented 10 years ago

The following errors trigger for us with all page requests to our site after installing the banner:

Rule ID 981172:

[Tue Feb 11 16:42:50 2014] [error] [client 201.145.211.51] ModSecurity:  [file "/etc/httpd/modsecurity.d/activated_rules-owasp/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \\x22 found within REQUEST_COOKIES:thedaywefightback_locationb: {\\x22country\\x22:{\\x22iso_code\\x22:\\x22MX\\x22}}"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:thedaywefightback_locationb. [hostname "www.strangecode.com"] [uri "/favicon.ico"] [unique_id "LQyjpcCoZOQAAB34cGEAAAAP"]

Rule ID 981246:

[Tue Feb 11 16:45:53 2014] [error] [client 201.145.211.51] ModSecurity:  [file "/etc/httpd/modsecurity.d/activated_rules-owasp/modsecurity_crs_41_sql_injection_attacks.conf"] [line "239"] [id "981246"] [msg "Detects basic SQL authentication bypass attempts 3/3"] [data "Matched Data: \\x22country\\x22:{\\x22 found within REQUEST_COOKIES:thedaywefightback_locationb: {\\x22country\\x22:{\\x22iso_code\\x22:\\x22MX\\x22}}"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Access denied with code 403 (phase 2). Pattern match "(?i:(?:in\\\\s*?\\\\(+\\\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w+]+(?:regexp\\\\s*?\\\\(|sounds\\\\s+like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]|[=\\\\d]+x))|([\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?\\\\d\\\\s*?(?:--|#)) ..." at REQUEST_COOKIES:thedaywefightback_locationb. [hostname "www.strangecode.com"] [uri "/favicon.ico"] [unique_id "N-8J8MCoZOQAAEFsPBAAAAAE"]

Rule ID 981243:

[Tue Feb 11 16:47:50 2014] [error] [client 201.145.211.51] ModSecurity:  [file "/etc/httpd/modsecurity.d/activated_rules-owasp/modsecurity_crs_41_sql_injection_attacks.conf"] [line "245"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: \\x22:{\\x22 found within REQUEST_COOKIES:thedaywefightback_locationb: {\\x22country\\x22:{\\x22iso_code\\x22:\\x22MX\\x22}}"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Access denied with code 403 (phase 2). Pattern match "(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\d)|(?:\\\\^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:^[\\\\w\\\\s\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98-]+(?<=and\\\\s)(?<=or|xor ..." at REQUEST_COOKIES:thedaywefightback_locationb. [hostname "www.strangecode.com"] [uri "/favicon.ico"] [unique_id "Pu8NKcCoZOQAAEOgfDoAAAAH"]