FP Nextcloud DesktopClient DAV SQL attack

_Issue originally created by user welljsjs on date 2018-07-31 15:39:30. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1157._

My Nextcloud desktop client often gets banned due to false positives by ModSecurity. I am using CRS 3.0.2.

The following lines were copied from the Apache error log. The IP address and the hostname are changed.

[Tue Jul 31 15:49:41.146345 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: session_id found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.147713 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i)[\\\\s\\\\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\\\\/html|pattern(?=.*?=)|formaction|\\\\**import**|base64)\\\\b" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "166"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data:  xmlns found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.156582 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(^[\\"'`;]+|[\\"'`]+$)" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "494"] [id "942110"] [rev "4"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\x22 found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.157466 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "558"] [id "942130"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: d=\\x22D found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.161103 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h ..." at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\x22><d:p found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.164310 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:(?:in\\\\s*?\\\\(+\\\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w+]+(?:regexp\\\\s*?\\\\(|sounds\\\\s+like\\\\s*?[\\"'`]|[=\\\\d]+x))|([\\"'`]\\\\s*?\\\\d\\\\s*?(?:--|#))|(?:[\\"'`][\\\\%&<>^=]+\\\\d\\\\s*?(=|x?or|div|like|between|and))|(?:[\\ ..." at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "817"] [id "942340"] [rev "2"] [msg "Detects basic SQL authentication bypass attempts 3/3"] [data "Matched Data: \\x22DAV:\\x22 found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.165556 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`]\\\\s*?\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*?[\\"'`]\\\\d)|(?:\\\\^[\\"'`])|(?:^[\\\\w\\\\s\\"'`-]+(?<=and\\\\s)(?<=or|xor|div|like|between|and\\\\s)(?<=xor\\\\s)(?<=nand\\\\s)(?<=not\\\\s)(?<=\\\\|\\\\|)(?<=\\\\&\\\\&)\\\\w+\\\\()|(?:[\\"'`][\\\\s\\\\d]*?[^\\\\w\\\\s]+\\\\W*?\\\\d\\ ..." at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "845"] [id "942370"] [rev "2"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: \\x221.0\\x22 found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.172306 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "((?:[\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>][^\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>]*?){12})" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1006"] [id "942430"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"] [data "Matched Data: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22>< found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [ta [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]

As there are several rules that take effect, I am not sure how to deal with the current situation.

As a result, ModSecurity often induces a close of the connection.

I am using Nextcloud 14.