ModSec being triggered

[keat]

I seem to have quite a number of Modsec 941100 being triggered.

Worryingly, these are related to some sort of cart activity, so are unlikely to be actual hacking attempts.

 

I can't rule out ModSec being over zelous as usual, but thought I ought to raise the concern.

 

[Sat Jun 24 10:20:11.024651 2017] [:error] [pid 17879] [client 95.xxx.xxx.247] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "29"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: cookie found within REQUEST_HEADERS:Referer: https://www.mystore.com/index.php?cart_order_id=170624-101707-1054&valid=true&trans_id=170624-101707-1054&code=A&auth_code=005605&amount=274.92&ip=95.xxx.xxx.247&cv2avs=SECURITY CODE MATCH ONLY&mpi_status_code=237&mpi_message=Authenticated&hash=153dafd66a63922a70b3e53915ff30a7&_a=complete"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.mystore.com"] [uri "/js/common.js"] [unique_id "WU4uywInQ3jJ7B-0tHxOiwAAAAU"]

[keat]

I found something on GitHub,  I've no idea what it all means, but it talks about the phase 'ON' causing such an error.

 

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/663

 

Could https://www.mystore.com/index.php?cart_order_id=170624-101707-1054&valid=true&trans_id=170624-101707-1054&code=A&auth_code=005605&amount=274.92&ip=95.xxx.xxx.247&cv2avs=SECURITY CODE MATCH ONLY

Have anything to do with this ??

I also note embedded within that string is the phase 'CV2 AVS', considering we don't collect card details on our site, then I can only assume that the phrase was passed back by PayPoint. ?

Edited June 27, 2017 by keat

[bsmither]

I have no knowledge of mod_security, but my reading of the error message implicates a request for the file /js/common.js, and in the request for this file - in the Request Headers - there is what looks like cookie data (really? I can't tell).

One of the headers in any request for a page is the "referrer" - the web address where the page that contains the link or source tag. That is, once a browser has received the HTML of a page (index.php) and is scanning through it making follow-on requests for CSS, javascript, and image files, those follow-on requests will have the "referrer" header. This includes someone else's page having a link to your site, such as a search engine results page. This is so that an analysis can be made of where requests are coming from.

So, it looks like PayPoint is sending back it's IPN data, but in doing so, is also accepting the whole page and making follow-on requests for the page's resources - for no reason. T only thing PayPoint should be wanting to see is the 200OK response from your web server. (Maybe the reason for handling more than the 200OK response is in their API documentation.)

I believe that the web address PayPoint has been told to use to send it's transaction reply is in error. CubeCart has a special URL format that will cause it to activate code in the PayPoint gateway module, followed by an orderly shutdown (200OK) without sending anything back.

While the problem is manifesting as a mod_security rule getting tripped, I think the real problem is with PayPoint: the URL format being used to send transaction data, and PayPoint asking for page resources.

[keat]

I've raised a support ticket.

Edited June 27, 2017 by keat

[keat]

Well I'm having right fun and games with Capita. (PAY360)

After more than two weeks of waiting, chasing for updates, they finally came back to me today to tell me what I already know, and that thier gateway is sending back the phrase 'only'

I told them this on the 26th of June.