XSS attack detection for session id in cookie

Question

XSS attack detection for session id in cookie

kumaranubhaw opened this issue 4 years ago · comments

Description of bug

I am using the Rails application.

The rails generates session id which is stored in cookie in browser which consists of the random alpha-numeric characters. when new request to server is made the session id is used and new session is generated and store in cookie.

The session id can be any alpha-numeric character and symbols, So it should not be detected as XSS attack if pattern matched for session id.

When using the ModSecurity with apache server, the XSS attack is detected by the ModSecurity rule set.
Example1:
If the session id generated contains "on (some characters) =" anywhere in the string, this is detected as XSS attack by
filename: modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
ID: 941120
msg: XSS Filter - Category 2: Event Handler Vector
Matched Data: 5onZYw= found within REQUEST_COOKIES:_(application name)_session: yhlEE9aCgujgWYbJs7yXKrF...qG3SU5onZYw%3D%3D

Example2:
XSS data found within in the session id
filename: modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
ID: 941100
msg: XSS Attack Detected via libinjection
Matched Data: XSS data found within REQUEST_COOKIES:_(application name)_session: JiyAQb1h1Y5rnz...

Steps to reproduce

Reproduced only when session id contains the matching criteria.

Expected behaviour

The session id can be any alpha-numeric character so it should not be detected as XSS attack.

Actual behaviour

The request is blocking if the session id conatins any maching criteria.

Your Environment

*rails 5.2.0

CRS version v3.2.0
Paranoia level setting: 1
ModSecurity version: 2.9.2
Web Server and version: apache 2.4.29
Operating System and version: Ubuntu 18.04.3

Is there any way to skip the pattern matching for session string in cookie?

Kumar Anubhaw · Answer 1 · Thu Mar 19 2020 07:59:23 GMT+0800 (China Standard Time)

I got the reply for the same issue I created in modsecurity. I am pasting the reply here and closing the issue.

Yes, you can indeed skip particular rules for a particular variable causing a false positive. When using a generic rule set -- you appear to be using the OWASP Core Rule Set (CRS) -- it is pretty common to need to do some such specific exclusions.
A common strategy in cases like yours is to exclude specific variables from the rule.
One option is to exclude your particular cookie directly in the rule. Rule 941120 already does one such exclusion for a cookie pattern ( !REQUEST_COOKIES:/__utm/ ). If you want, you could simply expand that exclusion notation so that your cookie false positive is handled the same way.
A second option is to create a separate rule (possibly testing a url) that has ctl:ruleRemoveTargetById as an action.

Kumar Anubhaw · Answer 2 · Thu Mar 19 2020 10:13:01 GMT+0800 (China Standard Time)

The best idea is to exclude particular cookie directly in the rule.
I just exclude for the cookie pattern (!REQUEST_COOKIES:_(application name)_session) and that works fine.

Christian Folini · Answer 3 · Thu Mar 19 2020 14:46:50 GMT+0800 (China Standard Time)

Thank you for reporting back.