This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Large scale problem with cookie and WAF blocking web services

It appears a large number of services are deploying this cookie named "ajs_anonymous_id".  I think it comes from Google.

The cookie begins and ends with %22.  This triggers Sophos UTM to think that EVERY request is a SQL Injection attack.



This thread was automatically locked due to age.
Parents
  • Here is an example log entry.

    2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Warning. Pattern match "(^[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at REQUESTCOOKIES:ajsanonymousid. [file "/usr/apache/conf/waf/modsecuritycrssqlinjectionattacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\x22 found within REQUESTCOOKIES:ajsanonymousid: \\x226c2ac757-d188-4b33-aeb4-8d452677db52\\x22"] [severity "CRITICAL"] [ver "OWASPCRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASPCRS/WEBATTACK/SQLINJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASPTOP10/A1"] [tag "OWASPAppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [uniqueid "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js

  • FormerMember
    +1 FormerMember in reply to Remuflon

    Hi ,

    Thank you for the update. 

    You could try to bypass the third rule(981318 ) as it’s not one of the infrastructure rules by following this KBA and see if that helps: Sophos UTM: How to bypass individual WAF rules.

    Thanks,

Reply Children