Hey Jakub,
On Wed, Feb 01, 2023 at 01:13:36AM -0800, Jakub Kuchar wrote:
> running on OWASP ModSecurity Core Rule Set ver.3.3.4
> using froala WYSIWYG editor and POSTing its content resulting in block by
> 941160 rule in REQUEST-941-APPLICATION-ATTACK-XSS.conf
>
> which i do totally understand why, since there is *style= font-size: 20px;*
>
> Question here how others deal with WYSIWYG editors ?
I guess people just deal with the FPs one at a time.
> - yes, i can write SecRule
> with ctl:ruleRemoveTargetById=941160;ARGS:json.variables.input.content.body
> but that also means i am opening doors to attacks such as <iframe etc...
There is only an attack if the editor has a weakness. And actually, the full
set of WAF rules does not mean complete protection anyways. What CRS gives you
is a decent coverage, higher at higher paranoia levels. Taking out a single
rule for a single parameter adds a tiny attack window, but it's absolutely
not the only attack window you have. A WAF is never comprehensive.
So don't worry too much. Raising the paranoia level would be far more
effective than trying to work around this single false positive.
> - in my scenario, i think after some work i can maybe also narrow it
> down what user can do and cannot do in froala editor, most complex thing is
> user copy pasting from other sources such as word and excel, which froala
> translates to html, so i was thinking maybe i could only open doors to *style
> *and some perhaps some more, but how ?
You would have to inspect (-> Allowlist!) the
ARGS:json.variables.input.content.body and then depending on the result
of the inspection issue your rule exclusion ctl statement.
But as explained above, this is far too much work, probably not the only
FP in the long run and it gives you a false sense of security.
Better invest your resources into a higher paranoia level or other means
of defense.
Best,
Christian
>
>
> [error] 9#9: *5 [client 127.0.0.1] ModSecurity: Access denied with code
> 403 (phase 2). Matched "Operator `Rx' with parameter
> `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d
> (3146 characters omitted)' against variable
> `ARGS:json.variables.input.content.body' (Value: `<p><span
> style="font-size: 20px;">test</span></p>' ) [file
> "/etc/nginx/conf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line
> "181"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML
> Injection"] [data "Matched Data: <p><span style= found within
> ARGS:json.variables.input.content.body: <p><span style=\x22font-size:
> 20px;\x22>test</span></p>"] [severity "2"] [ver "OWASP_CRS/3.3.4"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
> "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
> "127.0.0.1"] [uri "/api/graphql"] [unique_id "167524006881.783794"] [ref
> "o0,15v34,49t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"],
> client: 127.0.0.1, server:
b2bcompany.lvh.me, request: "POST /api/graphql
> HTTP/1.1", host: "
app.lvh.me", referrer: "
http://app.lvh.me/"
>
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit
https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/b2f2222d-f326-473a-bc80-e237d1c8fb64n%40owasp.org.