0

Rule name: XSS, HTML Injection - Body Rule: 100096BHTML

Since about a week ago, requests matching this WAF rule have strongly increased on a customer's website. This is an example graph showing only the number of those flagged requests over 24 hours:

Flagged requests over 24 hours

This affects all kinds of targets. Surprisingly for me, especially static files are being requested. Each IP address requests a number of files. The number of files can vary between a few and a few hundred. The set of files requested for each ip address seems to be legitimate.

Sources of the requests are legitimate ip blocks of mobile phone providers and home internet providers of the main targeted countries of the website.

I wonder, how I can deal with this:

  • It is not entirely clear to me what exactly is wrong with these requests. I assume, their body contains things it should not contain.
  • If my assumption is correct, I would need to log the request bodies.
  • Logging request bodies is critical from a data protection issue (GDPR, etc.).
  • It might be false positives, but how can I prove it?
hey
  • 111
  • 3
  • 1
    Do you know the HTTP Methods of the requests that are getting flagged as XSS? Are they GETs, POSTs, etc? Start with that. If there are GETs that are being flagged, then it's possible that hey are being flagged for some other reason. Do you have any information about the query string that's being passed in? It's possible there are values in that which are causing the problem. – Dan Landberg Jun 04 '19 at 21:30
  • 1
    Good question! - These are GET requests with not even a questionmark; i.e. `https://mydomain/path/version_number/filename.js`. – hey Jun 05 '19 at 00:11
  • 1
    Ok. My next action would be to review the WAF rule itself, to see which portions of the request could be flagged. Is it possible that the requests are passing in HTTP headers which contain XSS payloads? – Dan Landberg Jun 10 '19 at 13:52
  • Thanks @user52472 - although I agree that this recommendation is very good, I am limited by using CF. I am not able to retrieve the WAF rule itself, as CF does not disclose its content. – hey Jun 16 '19 at 22:21
  • You cannot really trust those IPs still , because there are proxies running on top of bot networks which abuses normal mobile users and desktop users Which WAF are you using? – Vaisakh Jun 22 '19 at 02:06
  • I use the cloudflare WAF – hey Jun 22 '19 at 04:02
  • is it with a basic CF plan? – Vaisakh Jun 23 '19 at 09:13
  • It says "Enterprise website" in the dashboard. – hey Jun 23 '19 at 20:33

0 Answers0