Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted January 30, 20231 yr Currently I am seeing within Akamai (the CDN & Web Application Firewall in use for www.zero88.com/forum) some blocked POST requests when end users are trying reply to an item on the forum. Something that spikes my interest is that it looks like that there are some values stored in a cookie which are being send together with the POST request which are classified by our WAF as a XSS attempt. When people clear their cache or visit the website incognito it seems that the issue does not happen which does somewhat confirm my initial thought it could be due to some string which is being sent with the POST request stored in a cookie (or something else which is happening when someone replies). But since I do not know anything about the application I cannot confirm or deny this. To determine if this is actually an XSS attempt I would like to know how a valid POST looks like and if information stored in a cookie is actually sent with the POST request. This information should help us investigate the issue further and hopefully determine if this is a false positive or not.
January 30, 20231 yr I have tagged our developers for you on this, who are better placed to be able to provide more information on this.
January 30, 20231 yr Is there a way for you to tell what exactly triggered the firewall? Posts contain HTML so I've seen this once for a client that his firewall was very sensitive and blocked literally any post containing formatted text.
January 30, 20231 yr x0D\x0A checking if there is any Quotation Mark ", Comma ,, a Line Feed \x0A or Carriage Return \x0D in the string
January 30, 20231 yr Management What do you need from us, Jon? If you need to inspect POST requests, you can use your browser inspection tools or 3rd party apps designed to listen in and show POST data.
January 30, 20231 yr Solution ips4_acpTabs is a valid cookie and that is an allowed value. It seems your firewall is flagging a false positive.
January 31, 20231 yr Author Thank you Marc, Daniel, SeNioR-, Matt and Andy... this seems to have pointed our IT team in the right direction. They've made some tweaks which appears to have fixed things - I'll keep an eye on it.
