undetectable xss with modsec v3

[rayenmessaoudi]

why a simple xss payload <script>alert(123)</script> can't be detected with the new version of modsecurity v3.0.2 i m using the owasp crs and it workes properly with modsecurity v2 .

[victorhora]

@rayenmessaoudi there's a number of reasons this could be happening. Ranging from misconfiguration on your webserver (Nginx?) to misconfiguration of the rules.

For instance, have you confirmed that ModSecurity is enabled (modsecurity on;) and pointing to the correct rules file (modsecurity_rules_file modsecurity.conf;)? Connector usage information is available on the README.

If you are using OWASP CRS, make sure the CRS is properly included / loaded from within your modsecurity_rules_file. See INSTALL notes from the CRS.

If your problem persists, check the error_log and audit_logs and share them in a Gist here so the community can assist you better.

[rayenmessaoudi]

PS : i m using commands in this Dockerfile to install and configure modsecurity v3 https://hub.docker.com/r/owasp/modsecurity/builds/bk42keabrv8eqvvyzxebon/ cauz i have some problems with this installation guide https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x i already posted my problem here owasp-modsecurity/ModSecurity-apache#35 and no one answer me

[victorhora]

@rayenmessaoudi I see that you're running ModSecurity-apache. Ensure that the ModSecurity module is loaded in Apache configuration directives.

Also, check and share your logs with us so we can better assist you. You should be able to see something on both Apache error_log and ModSecurity's audit log. Look also for the SecAuditLog configuration on your modsecurity.conf file. You may also try enabling ModSecurity's debug logs as they can be also helpful.

After rechecking your modsecurity.conf file to where your logs are being saved, if you still can't find these log files, it's a strong indication that the ModSecurity apache module is not being loaded...

As for issue owasp-modsecurity/ModSecurity-apache#35 I see that @zimmerle was trying to help you. Are you still having issues with your installation then? If yes, that might explain why no rule is triggering against that XSS.

[rayenmessaoudi]

i m sure for all configuration the same payload xss detected by the waf in the search field and undetectable in the comment field (wordpress) weird problem :/

[victorhora]

@rayenmessaoudi your last comment provides some better clues. If ModSecurity was able to catch an XSS payload in one request but not in the other it might be a false negative with the CRS. But I'd say it's unlikely for such a simple and obvious payload.

If we assume that the search field have query parameter on a GET request and that the comment field have the parameter on a POST request I would guess that the reason why your specific request is not being triggered by ModSecurity is due the fact that the ModSecurity-apache connector is still in alpha stage and the current codebase on master is not supporting body inspection.

You might want to give it a try with pull request owasp-modsecurity/ModSecurity-apache#22. This should allow inspection on the body but it's still experimental.

[rayenmessaoudi]

@victorhora Thanks i understand the problem now 👍

[rayenmessaoudi]

but if the ModSecurity-apache is not able to inspect the body it means that i m not secure enough

[victorhora]

@rayenmessaoudi, ModSecurity-apache is currently in development stage and might be not ready for productions environments. If you're looking to use in production environments with Apache you may wish to use ModSecurity v2 for now (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2).