Jon Hole Posted January 30, 2023 Share Posted January 30, 2023 Currently I am seeing within Akamai (the CDN & Web Application Firewall in use for www.zero88.com/forum) some blocked POST requests when end users are trying reply to an item on the forum. Something that spikes my interest is that it looks like that there are some values stored in a cookie which are being send together with the POST request which are classified by our WAF as a XSS attempt. When people clear their cache or visit the website incognito it seems that the issue does not happen which does somewhat confirm my initial thought it could be due to some string which is being sent with the POST request stored in a cookie (or something else which is happening when someone replies). But since I do not know anything about the application I cannot confirm or deny this. To determine if this is actually an XSS attempt I would like to know how a valid POST looks like and if information stored in a cookie is actually sent with the POST request. This information should help us investigate the issue further and hopefully determine if this is a false positive or not. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted January 30, 2023 Share Posted January 30, 2023 I have tagged our developers for you on this, who are better placed to be able to provide more information on this. SeNioR- and Jon Hole 2 Link to comment Share on other sites More sharing options...
Daniel F Posted January 30, 2023 Share Posted January 30, 2023 Is there a way for you to tell what exactly triggered the firewall? Posts contain HTML so I've seen this once for a client that his firewall was very sensitive and blocked literally any post containing formatted text. SeNioR- 1 Link to comment Share on other sites More sharing options...
Jon Hole Posted January 30, 2023 Author Share Posted January 30, 2023 Link to comment Share on other sites More sharing options...
SeNioR- Posted January 30, 2023 Share Posted January 30, 2023 x0D\x0A checking if there is any Quotation Mark ", Comma ,, a Line Feed \x0A or Carriage Return \x0D in the string Link to comment Share on other sites More sharing options...
Management Matt Posted January 30, 2023 Management Share Posted January 30, 2023 What do you need from us, Jon? If you need to inspect POST requests, you can use your browser inspection tools or 3rd party apps designed to listen in and show POST data. Marc Stridgen 1 Link to comment Share on other sites More sharing options...
Solution Andy Millne Posted January 30, 2023 Solution Share Posted January 30, 2023 ips4_acpTabs is a valid cookie and that is an allowed value. It seems your firewall is flagging a false positive. Marc Stridgen 1 Link to comment Share on other sites More sharing options...
Jon Hole Posted January 31, 2023 Author Share Posted January 31, 2023 Thank you Marc, Daniel, SeNioR-, Matt and Andy... this seems to have pointed our IT team in the right direction. They've made some tweaks which appears to have fixed things - I'll keep an eye on it. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted February 1, 2023 Share Posted February 1, 2023 Glad to hear you got the issue sorted 🙂 Link to comment Share on other sites More sharing options...
Recommended Posts