False positive w XSS - reason?

Question

False positive w XSS - reason?

saratoga118 opened this issue 2 years ago · 0 comments

We use libinjection 3.9.2 within modsecurity 3.0.6. This is the string that causes a false positive XSS match in CRS rule 941101:

/ppfx/oNS-r3VlTC67VwnnCfx1wAd1jDbbMTSfeXRcovqQe67gIMHc8vr_T66y_0QA1rCquQ?a=V2Vidmlldw

I've compiled reader.c and that this seems to confirm the XSS match:

$ ./reader -x testfile
testfile        1       True    /ppfx/oNS-r3VlTC67VwnnCfx1wAd1jDbbMTSfeXRcovqQe67gIMHc8vr_T66y_0QA1rCquQ?a=V2Vidmlldw

SQLI  : 1
SAFE  : 0
TOTAL : 1

I would like to understand why this string is causing an XSS match.