This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF blocks Brave browser

I just discovered that ALL requests to ALL of my websites that come from the Brave browser are being blocked by Sophos UTM.

Even with just "Basic Protection" enabled, UTM interprets every http request as an attack.

Here is an example log entry.

2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Warning. Pattern match "(^[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at REQUESTCOOKIES:ajsanonymousid. [file "/usr/apache/conf/waf/modsecuritycrssqlinjectionattacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\x22 found within REQUESTCOOKIES:ajsanonymousid: \\x226c2ac757-d188-4b33-aeb4-8d452677db52\\x22"] [severity "CRITICAL"] [ver "OWASPCRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASPCRS/WEBATTACK/SQLINJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASPTOP10/A1"] [tag "OWASPAppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [uniqueid "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js


2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:981318-OWASPCRS/WEBATTACK/SQLINJECTION-REQUESTCOOKIES:ajsanonymousid. [file "/usr/apache/conf/waf/modsecuritycrsinboundblocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=5, XSS=): Last Matched Message: SQL Injection Attack: Common Injection Testing Detected"] [data "Last Matched Data: \\x22"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [uniqueid "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js


2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Warning. Operator GE matched 5 at TX:inboundanomalyscore. [file "/usr/apache/conf/waf/modsecuritycrscorrelation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=5, XSS=): SQL Injection Attack: Common Injection Testing Detected"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [unique_id "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js


2021:02:16-07:56:00 firewall httpd: id="0299" srcip="192.168.0.20" localip="108.22.254.9" size="222" user="-" host="192.168.0.20" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=5, XSS=): Last Matched Message: SQL Injection Attack: Common Injection Testing Detected" exceptions="-" time="3749" url="/pwa-worker.js" server="meet.aquilatech.com" port="443" query="" referer="https://meet.aquilatech.com/pwa-worker.js" cookie="_cfduid=d9401aa3bec727b3d9833971325b2f8d21613331266; ajsgroupid=null; ajsanonymousid=%226c2ac757-d188-4b33-aeb4-8d452677db52%22" set-cookie="-" websocketscheme="-" websocketprotocol="-" websocketkey="-" websocket_version="-" uid="YCvA4B-N3mke-3EtLGGhewAAAAA"



This thread was automatically locked due to age.

Top Replies

  • FormerMember
    FormerMember +1 verified

    Hi ,

    Thank you for reaching out to the Community! 

    In the provided logs, three rules got detected are as follow:

    1. 981176
    2. 981204
    3. 981318

    You could try to bypass the third rule(981318) as it’s not…

  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    In the provided logs, three rules got detected are as follow:

    1. 981176
    2. 981204
    3. 981318

    You could try to bypass the third rule(981318) as it’s not one of the infrastructure rules by following this KBA: Sophos UTM: How to bypass individual WAF rules.

    Note: Rule 981176 and 981204 from the provided log are infrastructure rules, and you should never bypass these rules as they’re the ones that block the request. 

    Thanks,