False positive response when usting Prestashop

[Munrok]

When trying to update products in the store (Prestashop), I encounter the following false positive:

ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:form[step1][description][6]: <div class=\x22desc-ne-container\x22>\x0d\x0a<div class=\x22desc-ne-row\x22>\x0d\x0a<div class=\x22desc-ne desc-ne-100\x22>\x0d\x0a<h2>Automatyczny inkubator do jaj ( (5405 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "YY.YY.Y.YY"] [uri "/ eleno/index.php/sell/catalog/products/5642"] [unique_id "171531715945.271409"] [ref "v4577,5627t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv12977,5585t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullsv21331, (284 characters omitted)"] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A (4341 characters omitted)' against variable `ARGS:form[step1][description][6]' (Value: `<div class="desc-ne-container">\x0d\x0a<div class="desc-ne-row">\x0d\x0a<div class="desc-ne desc-ne- (6661 characters omitted)' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "200"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <div class=\x22desc-ne-container\x22>\x0d\x0a<div class=\x22desc-ne-row\x22>\x0d\x0a<div class=\x22desc-ne desc-ne-100\x22>\x0d\x0a<h2>Automatyczny inkubator do jaj (56 jaj) Heckermann<strong style=\x22color: #202124; font-fa (10849 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "YY.YY.Y.YY"] [uri "/ eleno/index.php/sell/catalog/products/5642"] [unique_id "171531715945.271409"] [ref "o0,5452v4577,5627t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso0,5410v12977,5585t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:remo (319 characters omitted)"] ModSecurity: Warning. Matched "Operator `Pm' with parameter `document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[' against variable `ARGS:form[step1][description][6]' (Value: `<div class="desc-ne-container">\x0d\x0a<div class="desc-ne-row">\x0d\x0a<div class="desc-ne desc-ne- (6661 characters omitted)' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "252"] [id "941180"] [rev ""] [msg "Node-Validator Deny List Keywords"] [data "Matched Data: <!-- found within ARGS:form[step1][description][6]: <div class=\x22desc-ne-container\x22>\x0d\x0a<div class=\x22desc-ne-row\x22>\x0d\x0a<div class=\x22desc-ne desc-ne-100\x22>\x0d\x0a<h2>Automatyczny inkubator do jaj (56 j (5401 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "YY.YY.Y.YY"] [uri "/ eleno/index.php/sell/catalog/products/5642"] [unique_id "171531715945.271409"] [ref "o766,4v4577,5627t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso759,4v12977,5585t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:remove (314 characters omitted)"] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `50' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `50' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 50)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.1.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "YY.YY.Y.YY"] [uri "/ eleno/index.php/sell/catalog/products/5642"] [unique_id "171531715945.271409"] [ref ""]

[Xhoenix]

Hello @Munrok,

Thanks for submitting and sorry for your inconvenience.

Unfortunately, you are facing a false positive in the LibInjection library that we are leveraging. You are not the first to report such an issue and we are also aware that LibInjection has become largely unmaintained, so you are a bit at a loss here.

Instead, you need to help yourself by writing one or more rule exclusions that are specific to your setup.

If you are not familiar with this technique then take a look at the tutorial at netnea, specifically this tutorial that covers handling false positives.

Please note that we also provide rule exclusion packages for selected off-the-shelf software at Paranoia Level 1 and Paranoia Level 2. These can be activated by editing crs-setup.conf or by enabling them on the platform you are using.

CRS Dev-on-Duty