Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive on parameter value XMLNS

See original GitHub issue

Description

GET /api/v1/query?q=7XMLNS triggered false positive because the parameter contains “XMLNS”

#16 4.565 Rule Id: 941130 phase: 2 #16 4.565 * Match, but no disruptive action: ModSecurity: Warning. Matched "Operator Rx' with parameter (?i)\s\S\b’ against variable ARGS:q' (Value: 7XMLNS’ ) [file “/opt/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “125”] [id “941130”] [rev “”] [msg “XSS Filter - Category 3: Attribute Vector”] [data “Matched Data: 7XMLNS found within ARGS:q: 7XMLNS”] [severity “2”] [ver “OWASP_CRS/3.3.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/242”] [hostname “”] [uri “/api/v1/query”] [unique_id “162043736477.530879”] [ref “o0,6v20,6t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls”]

Your Environment

CRS version: default v3.4/dev Paranoia level setting: ModSecurity version : 3.0.4 Web Server and version : Operating System and version: Amazon Linux 2

Confirmation

[ x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created 2 years ago
Comments:14 (10 by maintainers)

Top GitHub Comments

1reaction

fzipicommented, May 11, 2021

Sure, it is possible.

You need python3, docker, and docker-compose installed.

The steps should be:

pip install --upgrade setuptools wheel
pip install -r tests/regression/requirements.txt
mkdir -p tests/logs/modsec2-apache/apache2
docker-compose -f ./tests/docker-compose.yml up -d modsec2-apache
py.test -vs --tb=short tests/regression/CRS_Tests.py \
  --config="modsec2-apache" \
  --ruledir=./tests/regression/tests

Will write a wiki page with this.

0reactions

lifeformscommented, Sep 6, 2021

Addressed this in PR #2192. I’d like to keep the changes as small as possible to move forward on this, we can always perfect the rule later. For further discussion please visit #2192.

Top Results From Across the Web

SQL Injection false positive · Issue #3662 · zaproxy ... - GitHub

I'm using ZAP 2.6, Standard mode. I have white-listed all the parameter inputs. Running Active Scan, I get a SQL Injection Alert that...

metrics/FalsePositiveRate - QualityML

False Positive Rate · FPR, eqv. with false alarm rate, fall-out · FPR = FP/N = FP/(FP+TN). where FP = false positive, TN...

<user xmlns=''> was not expected.} Deserializing Twitter XML

I have complete control of my root entity but cannot use the rootattribute because it conflicts with the MessageContract attribute. Both answers are...

Using the 'Auto detect' option for a parameter to reduce false ...

If the security policy detects XML or JSON parameter values in the request, the system indicates that the violation is most likely a...

apigw:get-request-parameter() - IBM

The xs:boolean that decides whether the request parameter is decoded. The value of this parameter can be true() or false() and the default...