Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
FP: 941120 (PL1) base64 encoded string in param
See original GitHub issueDescription
False positive when a POST contains a base64 encoded string in a parameter e.g. CAVV from a payment gateway.
Message: Warning. Pattern match "(?i)[\\s\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=" at ARGS:CAVV. [file "/etc/httpd/modsecurity.d/owasp-crs-modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "108"] [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: /OnCQMAAAA= found within ARGS:CAVV: xxxxxxxxxx/OnCQMAAAA="] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
- CRS version (e.g., v3.2.0): 3.3.0
- Paranoia level setting: PL2
- ModSecurity version (e.g., 2.9.3): 2.9.2
- Web Server and version (e.g., apache 2.4.41): 2.4.6
- Operating System and version: EL7
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
Monthly Chat Agendas March (2021-03-01 and 2021-02-15 ...
Open Issues - Separate Issues Meeting (Monday, March 15th) · Issue slot 1: FP: 941120 (PL1) base64 encoded string in param #1867 FP:...
Read more >Base64 Decode and Encode - Online
Decode from Base64 format or encode into it with various advanced options. Our site has an easy to use online tool to convert...
Read more >Passing base64 encoded strings in URL - Stack Overflow
The answer is NO, you cannot simply pass a base64 encoded parameter within a URL query string since plus signs are converted to...
Read more >Examples of PowerShell Base64 - eduCBA
Base64 encoding and decoding is a popular method to encrypt and decrypt the data. As the name suggests, there will be 64 characters...
Read more >Base64 - MDN Web Docs Glossary: Definitions of ... - Mozilla
Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Sorry for letting this go stale. It’s part of a bigger problem with seemingly random input and we have a hard time fixing this for real. So I reckon the best bet for the time being is just to do a local rule exclusion following tutorial https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/.
I guess we won’t be hearing anything from @csanders-git about this anymore.
Unassigning him and adding the “good first issue” label.
All we need is a PR that moves rule 941120 from PL1 to PL2.