Issue with utm_source marked as critical

webstyler

• October 30, 2020 07:21

Hello guys I found 6 hits list from same IP at same datetime that open store web site: Severity Critical | Status 403 | 941100: XSS Attack Detected via libinjection Request: GET /?utm_source=official%20store&utm_medium=bshop&utm_campaign=o_w_s Action Description: Warning. Justification: detected XSS using libinjection. Severity Critical | Status 403 | 949110: Inbound Anomaly Score Exceeded (Total Score: 5) Request: GET /?utm_source=official%20store&utm_medium=bshop&utm_campaign=o_w_s Action Description: Access denied with code 403 (phase 2). Justification: Operator GE matched 5 at TX:anomaly_score. Severity - | Status 403 | 980130: Inbound Anomaly Score Exceeded (Total InboundScore: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Attack Detected via libinjection Request: GET /?utm_source=official%20store&utm_medium=bshop&utm_campaign=o_w_s Action Description: Warning. Justification: Operator GE matched 5 at TX:inbound_anomaly_score. Severity Critical | Status 403 | 941100: XSS Attack Detected via libinjection Request: GET /favicon.ico Action Description: Warning. Justification: detected XSS using libinjection. Severity Critical | Status 403 | 949110: Inbound Anomaly Score Exceeded (Total Score: 5) Request: GET /favicon.ico Action Description: Access denied with code 403 (phase 2). Justification: Operator GE matched 5 at TX:anomaly_score. Severity - | Status 403 | 980130: Inbound Anomaly Score Exceeded (Total InboundScore: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Attack Detected via libinjection Request: GET /favicon.ico Action Description: Warning. Justification: Operator GE matched 5 at TX:inbound_anomaly_score. But seems GET fine, without issue.. :/ ?? Thanks for any help / suggest

• 

  keat63

  • October 30, 2020 14:50

  To me this looks like ModSecurity, and something triggered a ruleset. If this was genuine traffic, then you may have to fine tune ModSec, to make it work for you. All ModSecurity rulesets don't suit everyone, some may trigger false positives. If it was actually malicious, then I'd say ModSec did its job.

  0
• 

  SamuelM

  • October 31, 2020 02:39

  Hello @webstyler I agree with keat63 on this. To add to that, if this was legitimate traffic and you need to whitelist one of the ModSecurity rules, please refer to the following article:

  0
• 

  fuzzylogic

  • October 31, 2020 06:04

  @webstyler The enties you posted are from 2 requests... Request 1). GET /?utm_source=official%20store&utm_medium=bshop&utm_campaign=o_w_s Rule 941100 was a match. This rule loaded the Inbound anomaly score with 5 points. Rule 949110 then read the anomaly score, found it to be equal or above the number 5, so denied the request. Rule 980130 then logged some accumulated info about the ruleset's actions for this request. Request 2). GET /favicon.ico Rule 941100 was a match. This rule loaded the Inbound anomaly score with 5 points. Rule 949110 then read the anomaly score, found it to be equal or above the number 5, so denied the request. Rule 980130 then logged some accumulated info about the ruleset's actions for this request. Clearly it was not the Request String that triggered rule 941100, especially on the request for /favicon.ico The rule starts like this... SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectXSS"
  It sends... ARGS_NAMES ARGS REQUEST_COOKIES_NAMES REQUEST_COOKIES REQUEST_HEADERS:Referer REQUEST_HEADERS:User-Agent XML:/* to the @detectXSS operator which is the libinjection utility. One of these values triggered libinjection . To understand what did trigger rule 941100 you will need to look at the log at... /usr/local/apache/logs/modsec_audit.log It has much greater detail. To find the log for the request you are looking for use the timestamp which would have been with the entries you posted. For example if the timestamp was :16:13:13 then open a terminal as root and issue the following command... grep -A 50 -B 2 "\:16\:13\:13" /usr/local/apache/logs/modsec_audit.log
  It will give you 50 lines of the log. If as you said there were more than 1 entry with the same datetime then grep should return 50 lines for each request with that timestamp. Then within the log lines retrieved search for... Message: Warning. detected XSS using libinjection This line will contain a "[data "Matched Data: XSS data found within..." section. It will tell you which part of the request contained the match and what the matching data was.

  0

Please sign in to leave a comment.