XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie
frankyhun opened this issue · comments
Description
libinjection detects XSS Attack in the AWS AWSALBCORS Cookie, and blocks harmless requests.
Audit Logs / Triggered Rule Numbers
---O4A1GJgF---A--
[30/Mar/2020:04:26:00 +0000] 158554236078.061819 0
---O4A1GJgF---B--
POST /oauth/token HTTP/1.1
Accept: application/json, application/*+json
X-Span-Name: https:/oauth/token
Content-Length: 94
b3: 779cec51b5c99a01-779cec51b5c99a01-0
X-Forwarded-Port: 443
X-Amzn-Trace-Id: Root=1-5e8174d8-9f586f0037986e007de2cf80
Authorization: Basic
Host:
X-B3-SpanId: 779cec51b5c99a01
Content-Type: application/x-www-form-urlencoded
X-Forwarded-Proto: https
User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_212)
X-Forwarded-For:
X-B3-TraceId: 779cec51b5c99a01
X-B3-Sampled: 0
Cookie: AWSALB=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==; AWSALBCORS=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==
Accept-Encoding: gzip,deflate
---O4A1GJgF---F--
HTTP/1.1 403
Server: nginx
Date: Mon, 30 Mar 2020 04:26:00 GMT
Connection: keep-alive
---O4A1GJgF---A--
[30/Mar/2020:04:26:00 +0000] 158554236078.061819 0
---O4A1GJgF---B--
POST /oauth/token HTTP/1.1
Accept: application/json, application/*+json
X-Span-Name: https:/oauth/token
Content-Length: 94
b3: 779cec51b5c99a01-779cec51b5c99a01-0
X-Forwarded-Port: 443
X-Amzn-Trace-Id: Root=1-5e8174d8-9f586f0037986e007de2cf80
Authorization: Basic
Host:
X-B3-SpanId: 779cec51b5c99a01
Content-Type: application/x-www-form-urlencoded
X-Forwarded-Proto: https
User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_212)
X-Forwarded-For:
X-B3-TraceId: 779cec51b5c99a01
X-B3-Sampled: 0
Cookie: AWSALB=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==; AWSALBCORS=PWOhL14py8Wi+FMWQxerjk4XFirhKd457flcD+95U90WpVH1VOdwKE/HeJ+3Mjfd4Tt861Hh+vY7cEYSPJ0I1xs+3XaXNZtlpTFCDCJd7psj/K7Hbb+T+THELV3ISsCQ1is4wS4m4M7ROnNQDTYWMWpbbQgIVx3lw9ZYF1Cm+Ong1VE1igIhX7bSV9ylSA==
Accept-Encoding: gzip,deflate
---O4A1GJgF---F--
HTTP/1.1 403
Server: nginx
Date: Mon, 30 Mar 2020 04:26:00 GMT
Connection: keep-alive
---O4A1GJgF---H--
ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/nginx/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within REQUEST_COOKIES:AWSALBCORS: PWOhL14py8Wi FMWQxerjk4XFirhKd457flcD 95U90WpVH1VOdwKE/HeJ 3Mjfd4Tt861Hh vY7cEYSPJ0I1xs 3XaXNZtlpTFCDCJd7psj/K7Hbb T THELV3ISsCQ1is4wS4m (56 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/oauth/token"] [unique_id "158554236078.061819"] [ref "v662,192t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv867,192t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
---O4A1GJgF---I--
---O4A1GJgF---J--
---O4A1GJgF---K--
---O4A1GJgF---Z--
Your Environment
- CRS version: CRS 3.2.0
- Paranoia level setting: 1
- ModSecurity version: 3.0.4
- Web Server and version: nginx 1.17.8
- Operating System and version: Amazon linux 2
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
As the cookie arrives at libinjection it is reformatted as:
REQUEST_COOKIES:AWSALBCORS: PWOhL14py8Wi FMWQxerjk4XFirhKd457flcD 95U90WpVH1VOdwKE/HeJ 3Mjfd4Tt861Hh vY7cEYSPJ0I1xs 3XaXNZtlpTFCDCJd7psj/K7Hbb T THELV3ISsCQ1is4wS4m ...
So the + sign is replaced with spaces.
Libinjection xss detects Ong1VE1igIhX7bSV9ylSA== as black attribute in the method is_black_attr, because it's length is >= 5, and begins with ON (case insensitive).
Looks like exactly this change should have fixed this issue:
client9/libinjection@ceb2895
Is the libinjection project abandoned?
If the request client9/libinjection#143 would me merged, the issue would be solved.
@zimmerle, @martinhsv: looks like you have to maintain libinjection by your own