Hi,
We are experiencing an issue with our website behind WAF on Sophos UTM. I have been toying around with getting our site to work via Web Protection for users outside the internal network. This log entry indicates that ModSecurity, a web application firewall, has detected a possible cross-site scripting (XSS) attack.
023:04:10-13:14:27 [security2:error] [pid 1018:tid 4117486448] [client 1.1.1.1:62184] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))" at ARGS:About. [file "/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22, Roboto, Arial, \\x22Droid Sans\\x22, sans-serif; color: rgb(115, 135, 156) found within ARGS:About: <h4 style=\\x22font-family: \\x22Helvetica Neue\\x22, Roboto, Arial, \\x22Droid Sans\\x22, sans-serif; color: rgb(115, 135, 156);\\x22><span style=\\x22font-weight: 700;\\x22>ELIE LOUTFI / \\xd8\\xa7</span></h4>"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "abc.xyz.com"] [uri "/product/machine/image"] [unique_id "ZDPhg7AnwYvo53owzhOiMwAAAJc"], referer: https://abc.xyz.net//product/machine/image=4sg7V/Hba6I=
Once we add the ID 973335 under skip rule, it works.
Can we do anything about it to solve?
This thread was automatically locked due to age.