A form data, "会社"("Company" in Japanese) is forbade with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs-3.3.0-2.el8.

Solution Verified - Updated -

Issue

  • A form data, "会社"("Company" in Japanese) is forbade with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs-3.3.0-2.el8.

Smaple /var/log/httpd/error_log with mod_security_crs-3.3.4-1.el8(RHEL8.8):

[Wed Nov 15 12:08:12.322684 2023] [:error] [pid 1624:tid 140610828715776] [client 192.168.122.1:34524] [client 192.168.122.1] ModSecurity: Warning. Pattern match "\\\\xbc[^\\\\xbe>]*[\\\\xbe>]|<[^\\\\xbe]*\\\\xb
e" at ARGS:testdata. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "547"]
 [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \\xbc\\x9a\\xe7\\xa4\\xbe found within ARGS:testdata: \\xe4\\xbc\\x9a\\xe7\\xa4\\xbe"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "www.example.com"] [uri "/test.html"] [unique_id "ZVQ2HDPCAYDXKz-9rSm6aQAAAE8"], referer: http://www.example.com/test-form.html
[Wed Nov 15 12:08:12.322911 2023] [:error] [pid 1624:tid 140610828715776] [client 192.168.122.1:34524] [client 192.168.122.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "153"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.example.com"] [uri "/test.html"] [unique_id "ZVQ2HDPCAYDXKz-9rSm6aQAAAE8"], referer: http://www.example.com/test-form.html
[Wed Nov 15 12:08:12.323163 2023] [:error] [pid 1624:tid 140610828715776] [client 192.168.122.1:34524] [client 192.168.122.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "www.example.com"] [uri "/test.html"] [unique_id "ZVQ2HDPCAYDXKz-9rSm6aQAAAE8"], referer: http://www.example.com/test-form.html

Environment

  • Red Hat Enterprise Linux 8
  • httpd
  • mod_security_crs-3.3.0-2.el8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content