Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

FP 949110 - cookie with (.)/(.) in value

See original GitHub issue

Description

i add cookie with value (asd)/(asd) , and get block from modSecurity (you can add any text in bracket)

Audit Logs / Triggered Rule Numbers

2020/12/09 12:47:45 [error] 5866#5866: *2716173 [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "x.x.x.x"] [uri "/"] [unique_id "160751806528.147812"] [ref ""], client: x.x.x.x, server: dev.app.comp.ru, request: "GET / HTTP/2.0", host: "dev.app.comp.ru"

Your Environment

CRS version (e.g., v3.2.0): v3.3.0
Paranoia level setting: 1
ModSecurity version (e.g., 2.9.3): v3.0.4
Web Server and version (e.g., apache 2.4.41): k8s.gcr.io/ingress-nginx/controller:v0.41.2