Large scale problem with cookie and WAF blocking web services

Hi Remuflon,

Thank you for reaching out to the Community! 

Could you please provide the reverseproxy logs from your firewall? 

Thanks,

Here is an example log entry.

2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Warning. Pattern match "(^[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at REQUESTCOOKIES:ajsanonymousid. [file "/usr/apache/conf/waf/modsecuritycrssqlinjectionattacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\x22 found within REQUESTCOOKIES:ajsanonymousid: \\x226c2ac757-d188-4b33-aeb4-8d452677db52\\x22"] [severity "CRITICAL"] [ver "OWASPCRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASPCRS/WEBATTACK/SQLINJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASPTOP10/A1"] [tag "OWASPAppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [uniqueid "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js

I was mistaken, it's not a Google cookie, it's actually coming from Jira Service Desk.  But still, in my opinion, a %22...%22 should not be interpreted as SQL injection - on it's own.  Granted, it's poor form to put that in the cookie value...

Hi Remuflon,

Thank you for the update. 

You could try to bypass the third rule(981318 ) as it’s not one of the infrastructure rules by following this KBA and see if that helps: Sophos UTM: How to bypass individual WAF rules.

Thanks,

Yes, I will put that in my notes.  As a permanent fix I deleted the cookies from Jira and removed their website widgets.