blocked by modsecurity

[flexjoly]

Hi,

When posting the signature as SVG or dataUrl, modsecurity blocks it.

When posting as PNG the log says:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "(asfunction|data|javascript|livescript|mocha|vbscript):" at ARGS:data_signature. [file "/usr/local/cwaf/rules/08_XSS_XSS.conf"] [line "223"] [id "212770"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||ourdomain.com|F|2"] [data "Matched Data: data: found within ARGS:data_signature: data:image/png;base64,ivborw0kg ...... [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
For now we do a substring on the created string, to get rid of things like 'data:image/png;base64,'

It would be very helpfull, if the script could do this by itself.

Greetings, flexjoly

[kbwood]

If you strip of that portion of the value you wouldn't know what format it is (PNG or JPEG).

What is it that modsecurity is trying to block? Can you increase the specificity of the rule to allow data:image/png but not other data:?

[flexjoly]

Hi,
Thanks for your reply, sorry for my late response.

I know too little about modsecurity :-( Only that we need it and that it is annoying. I think the rule can be found by the id '212770'

It might help if the format and the raw-data are send in different variables, so it is not seen as a kind of an injection.

Greetz, flexjoly