Skip to content

Instantly share code, notes, and snippets.

@defanator

defanator/01modsec_audit_H.log

Last active November 29, 2016 11:54
Show Gist options
  • Save defanator/5ef589e842dd2bd1b6278552ee1e6f2a to your computer and use it in GitHub Desktop.
Save defanator/5ef589e842dd2bd1b6278552ee1e6f2a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
01modsec_audit_H.log
---i7wdgemV---A--
[29/Nov/2016:11:09:10 +0000] 148041775067.012532 127.0.0.1 53931 127.0.0.1 80
---i7wdgemV---B--
GET /?param="><script>alert(1);</script> HTTP/1.1
REQUEST_HEADERS:User-Agent: curl/7.38.0
REQUEST_HEADERS:Host: localhost
REQUEST_HEADERS:Accept: */*
---i7wdgemV---D--
---i7wdgemV---E--
---i7wdgemV---F--
RESPONSE_HEADERS:Server: nginx/1.11.5
RESPONSE_HEADERS:Date: Tue, 29 Nov 2016 11:09:10 GMT
RESPONSE_HEADERS:Content-Length: 169
RESPONSE_HEADERS:Content-Type: text/html
RESPONSE_HEADERS:Connection: keep-alive
---i7wdgemV---H--
[client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "17"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)([<\xffffffef\xffffffbc\xffffff9c]script[^>\xffffffef\xffffffbc\xffffff9e]*[>\xffffffef\xffffffbc\xffffff9e][\s\S]*?)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941110"] [rev "2"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "231"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `15' ) " at TX:ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "38"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `15' ) " at TX:INBOUND_ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/RESPONSE-980-CORRELATION.conf"] [line "64"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
---i7wdgemV---I--
---i7wdgemV---J--
---i7wdgemV---Z--
---es13Qzc5---A--
[29/Nov/2016:11:12:24 +0000] 148041794473.883628 127.0.0.1 53935 127.0.0.1 80
---es13Qzc5---B--
GET / HTTP/1.1
REQUEST_HEADERS:User-Agent: curl/7.38.0
REQUEST_HEADERS:Host: localhost
REQUEST_HEADERS:Accept: */*
---es13Qzc5---D--
---es13Qzc5---E--
---es13Qzc5---F--
RESPONSE_HEADERS:ETag: "582b28cb-1e6c"
RESPONSE_HEADERS:Server: nginx/1.11.5
RESPONSE_HEADERS:Date: Tue, 29 Nov 2016 11:12:24 GMT
RESPONSE_HEADERS:Content-Length: 7788
RESPONSE_HEADERS:Content-Type: text/html; charset=utf-8
RESPONSE_HEADERS:Connection: keep-alive
RESPONSE_HEADERS:Last-Modified: Tue, 15 Nov 2016 15:24:59 GMT
RESPONSE_HEADERS:Accept-Ranges: bytes
---es13Qzc5---H--
[client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "17"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)([<\xffffffef\xffffffbc\xffffff9c]script[^>\xffffffef\xffffffbc\xffffff9e]*[>\xffffffef\xffffffbc\xffffff9e][\s\S]*?)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941110"] [rev "2"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "231"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `15' ) " at TX:ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "38"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `15' ) " at TX:INBOUND_ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/RESPONSE-980-CORRELATION.conf"] [line "64"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
---es13Qzc5---I--
---es13Qzc5---J--
---es13Qzc5---Z--
---o8Y94fEu---A--
[29/Nov/2016:11:12:54 +0000] 148041797477.251704 127.0.0.1 53938 127.0.0.1 80
---o8Y94fEu---B--
GET /en/ HTTP/1.1
REQUEST_HEADERS:User-Agent: curl/7.38.0
REQUEST_HEADERS:Host: localhost
REQUEST_HEADERS:Accept: */*
---o8Y94fEu---D--
---o8Y94fEu---E--
---o8Y94fEu---F--
RESPONSE_HEADERS:ETag: "58358a96-3830"
RESPONSE_HEADERS:Server: nginx/1.11.5
RESPONSE_HEADERS:Date: Tue, 29 Nov 2016 11:12:55 GMT
RESPONSE_HEADERS:Content-Length: 14384
RESPONSE_HEADERS:Content-Type: text/html; charset=utf-8
RESPONSE_HEADERS:Connection: keep-alive
RESPONSE_HEADERS:Last-Modified: Wed, 23 Nov 2016 12:24:54 GMT
RESPONSE_HEADERS:Accept-Ranges: bytes
---o8Y94fEu---H--
[client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "17"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)([<\xffffffef\xffffffbc\xffffff9c]script[^>\xffffffef\xffffffbc\xffffff9e]*[>\xffffffef\xffffffbc\xffffff9e][\s\S]*?)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941110"] [rev "2"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "231"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `15' ) " at TX:ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "38"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `15' ) " at TX:INBOUND_ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/RESPONSE-980-CORRELATION.conf"] [line "64"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041775067.012532"]
---o8Y94fEu---I--
---o8Y94fEu---J--
---o8Y94fEu---Z--
Raw
02modsec_audit_K.log
---VyDzxRKU---A--
[29/Nov/2016:11:32:56 +0000] 148041917641.115769 127.0.0.1 53949 127.0.0.1 80
---VyDzxRKU---B--
GET /?param="><script>alert(1);</script> HTTP/1.1
REQUEST_HEADERS:User-Agent: curl/7.38.0
REQUEST_HEADERS:Host: localhost
REQUEST_HEADERS:Accept: */*
---VyDzxRKU---D--
---VyDzxRKU---E--
---VyDzxRKU---F--
RESPONSE_HEADERS:Server: nginx/1.11.5
RESPONSE_HEADERS:Date: Tue, 29 Nov 2016 11:32:56 GMT
RESPONSE_HEADERS:Content-Length: 169
RESPONSE_HEADERS:Content-Type: text/html
RESPONSE_HEADERS:Connection: keep-alive
---VyDzxRKU---H--
[client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "17"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041917641.115769"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)([<\xffffffef\xffffffbc\xffffff9c]script[^>\xffffffef\xffffffbc\xffffff9e]*[>\xffffffef\xffffffbc\xffffff9e][\s\S]*?)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941110"] [rev "2"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041917641.115769"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) " at ARGS:param [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "231"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041917641.115769"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `15' ) " at TX:ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "38"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041917641.115769"]
[client 127.0.0.1] ModSecurity: Warning. Matched "Operator `@ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `15' ) " at TX:INBOUND_ANOMALY_SCORE [file "/etc/nginx/modsec/owasp-v3/rules/RESPONSE-980-CORRELATION.conf"] [line "64"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "127.0.0.1"] [uri "/?param="><script>alert(1);</script>"] [unique_id "148041917641.115769"]
---VyDzxRKU---I--
---VyDzxRKU---J--
---VyDzxRKU---K--
---VyDzxRKU---Z--
Raw
03modsec_audit_E.log
Request:
# curl -X POST -i -d "test body" 'http://localhost/'
Audit log:
---fqfSw8lq---A--
[29/Nov/2016:11:39:37 +0000] 148041957729.294639 127.0.0.1 53955 127.0.0.1 80
---fqfSw8lq---B--
POST / HTTP/1.1
REQUEST_HEADERS:User-Agent: curl/7.38.0
REQUEST_HEADERS:Host: localhost
REQUEST_HEADERS:Accept: */*
REQUEST_HEADERS:Content-Length: 9
REQUEST_HEADERS:Content-Type: application/x-www-form-urlencoded
---fqfSw8lq---D--
---fqfSw8lq---E--
---fqfSw8lq---F--
RESPONSE_HEADERS:Server: nginx/1.11.5
RESPONSE_HEADERS:Date: Tue, 29 Nov 2016 11:39:38 GMT
RESPONSE_HEADERS:Content-Length: 173
RESPONSE_HEADERS:Content-Type: text/html; charset=utf-8
RESPONSE_HEADERS:Connection: keep-alive
---fqfSw8lq---H--
---fqfSw8lq---I--
---fqfSw8lq---J--
---fqfSw8lq---K--
---fqfSw8lq---Z--
Raw
04modsec_audit_C.log
Request:
# curl -X POST -i -d "test body" 'http://localhost/'
Audit log:
---FE6E1cHh---A--
[29/Nov/2016:11:53:20 +0000] 148042040086.751258 127.0.0.1 53964 127.0.0.1 80
---FE6E1cHh---B--
POST / HTTP/1.1
REQUEST_HEADERS:User-Agent: curl/7.38.0
REQUEST_HEADERS:Host: localhost
REQUEST_HEADERS:Accept: */*
REQUEST_HEADERS:Content-Length: 9
REQUEST_HEADERS:Content-Type: application/x-www-form-urlencoded
---FE6E1cHh---C--
---FE6E1cHh---D--
---FE6E1cHh---E--
---FE6E1cHh---F--
RESPONSE_HEADERS:Server: nginx/1.11.5
RESPONSE_HEADERS:Date: Tue, 29 Nov 2016 11:53:20 GMT
RESPONSE_HEADERS:Content-Length: 173
RESPONSE_HEADERS:Content-Type: text/html; charset=utf-8
RESPONSE_HEADERS:Connection: keep-alive
---FE6E1cHh---H--
---FE6E1cHh---I--
---FE6E1cHh---J--
---FE6E1cHh---K--
---FE6E1cHh---Z--
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment