Netscaler ns-client-ip false positive - 941100 libinjection

[brianp9906]

Our load balancer (Citrix Netscaler) appends a header "NS-Client-IP" to HTTP requests to track the true source IP from the web request. ModSecurity is flagging this as an issue and the matched data doesnt make any sense, so it appears to be a bug.

[Tue Nov 21 01:32:14 2017] [error] [client 10.1.1.1] ModSecurity: Warning. detected XSS using libinjection. [file "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: ns-client-ip found within ARGS:gid: Bp5TvJc0Anl onZWXteReQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "xxxx"] [uri "xxxx"] [unique_id "WhPyngoh4iwAAPQUhR4AAAAF"]

The modsec audit log shows the request like this:

`[21/Nov/2017:01:32:15 --0800] WhPyngoh4iwAAPQUhR4AAAAF 10.1.1.1 14220 10.1.2.1 443
--6fad0e14-B--
POST /url/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows; Trident/4.0)
Accept-Encoding: gzip, deflate
Accept: /
Connection: Keep-Alive
Host: XXXX
Content-Length: 1454
NS-Client-IP: 10.1.1.250

--6fad0e14-C--
[stuff before]&gid=Bp5TvJc0Anl%2BonZWXteReQ%3D%3D&[stuff after]

--6fad0e14-F--
HTTP/1.0 200 OK
Content-Length: 24740
Connection: close
Content-Type: text/html;charset=UTF-8
`

[lifeforms]

Hi! This alert is triggered because of the onZWXteReQ string which is seen by libinjection as a generic HTML event handler attribute. It's been discussed earlier in #820 and #663.

It should hopefully have been addressed in libinjection by client9/libinjection#118, but I am NOT sure if this newest libinjection version is already bundled with ModSecurity.

In any case, if you are running a ModSecurity version below 2.9.2, please try updating to ModSecurity 2.9.2 first.

If it is still present in ModSecurity 2.9.2, then ModSecurity should update its bundled libinjection library. In that case, please open an issue on the https://github.com/SpiderLabs/ModSecurity issue tracker, and then hopefully it will be addressed in ModSecurity 2.9.3.

For now, you can temporarily add an exclusion for the gid query parameter like:

SecAction \
	"id:12345,phase:1,t:none,nolog,pass,\
		ctl:ruleRemoveTargetById= 941100;ARGS:gid"

[victorhora]

@lifeforms I'm afraid this hasn't been fixed in libInjection yet. Please see owasp-modsecurity/ModSecurity#1723 (comment)

[lifeforms]

@victorhora You are right, it's still an issue in libinjection it seems. I'll close this issue since we already have #820 which is the same issue. I'll keep that bug open to keep track of it. Thanks!