Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Netscaler ns-client-ip false positive - 941100 libinjection #1723

Closed
ghost opened this issue Mar 26, 2018 · 3 comments
Closed

Netscaler ns-client-ip false positive - 941100 libinjection #1723

ghost opened this issue Mar 26, 2018 · 3 comments
Assignees
@victorhora
Labels
2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x RIP - Type - Usage Related with usage (not a bug)

Comments

@ghost
Copy link

ghost commented Mar 26, 2018

Our load balancer (Citrix Netscaler) appends a header "NS-Client-IP" to HTTP requests to track the true source IP from the web request. ModSecurity is flagging this as an issue and the matched data doesnt make any sense, so it appears to be a bug.

[Tue Nov 21 01:32:14 2017] [error] [client 10.1.1.1] ModSecurity: Warning. detected XSS using libinjection. [file "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: ns-client-ip found within ARGS:gid: Bp5TvJc0Anl onZWXteReQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "xxxx"] [uri "xxxx"] [unique_id "WhPyngoh4iwAAPQUhR4AAAAF"]

The modsec audit log shows the request like this:

`[21/Nov/2017:01:32:15 --0800] WhPyngoh4iwAAPQUhR4AAAAF 10.1.1.1 14220 10.1.2.1 443
--6fad0e14-B--
POST /url/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows; Trident/4.0)
Accept-Encoding: gzip, deflate
Accept: /
Connection: Keep-Alive
Host: XXXX
Content-Length: 1454
NS-Client-IP: 10.1.1.250

--6fad0e14-C--
[stuff before]&gid=Bp5TvJc0Anl%2BonZWXteReQ%3D%3D&[stuff after]

--6fad0e14-F--
HTTP/1.0 200 OK
Content-Length: 24740
Connection: close
Content-Type: text/html;charset=UTF-8
`
@ghost
Copy link
Author

ghost commented Mar 26, 2018

Originally reported here: SpiderLabs/owasp-modsecurity-crs#967

@ghost
Copy link
Author

ghost commented Mar 26, 2018

We confirmed the same issue in ModSecurity 2.9.2 release also.

@victorhora victorhora self-assigned this Mar 26, 2018
@victorhora victorhora added 2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x RIP - Type - Usage Related with usage (not a bug) labels Sep 13, 2018
@victorhora
Copy link
Contributor

Hi @BP9906

Thanks for your report. But it seems like the issue is not with ModSecurity but rather with libInjection.

I've written a very simple code (libinjection_xss_test.c) to check this input against the latest codebase of libInjection and the FP still exists:

image

So unless some of those pull requests or issues already fixes / covers this false positive, there's not much we can do on ModSecurity's side.

That being said, please let us know if you would like to help with this case by reporting the issue to libInjection's issue tracker and we can work together with the community to hopefully getting this fixed in a future release.

@victorhora victorhora mentioned this issue Sep 13, 2018
Closed
@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x RIP - Type - Usage Related with usage (not a bug)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@victorhora