False positive rtrim found within REQUEST_COOKIES:XSRF-TOKEN #4137
Description
Description
The token comes from a Laravel application which encrypts the token and then applies a base 64 encoding.
This request comes from a local dev environment.
How to reproduce the misbehavior (-> curl call)
curl -i -H "Cookie: XSRF-TOKEN=eyJpdiI6ImdqTy9WNWtXRTRiMEJjQ1BYN0lHdFE9PSIsInZhbHVlIjoiMFpod0pTUmFDalBZb
jRNMVpIclBTbUdRNUs0eEVyQXpkN3NxZkI2bm5tZmQwb2RUanFSL3dscndlbmJUOXJVNHNlTkw2bWFvSC8ycVVmd3ZYZ0gzTUdpeElYNmd1RlhzdDYzNzRaVVJ2VDRqMHRC
dVVWNW14UUliOFNRcEw2bUMiLCJtYWMiOiI5MzE3MzU2YTk5YzhiODMwMjcyNGE3NjVhNjkzMGQxMWY2YTY5N2Y5YzM4MTNiYjQ4M2I3Y2VkNzM3YjVhYTFlIiwidGFnIjoiIn0%3D" -H "x-backend: nginx" https://sandbox.coreruleset.org
Logs
{
"transaction": {
"client_ip": "",
"time_stamp": "Mon May 19 16:37:45 2025",
"server_id": "",
"client_port": 43364,
"host_ip": "",
"host_port": 8443,
"unique_id": "",
"request": {
"method": "GET",
"http_version": "1.1",
"uri": "/api/empresas?rid=675461"
},
"response": {
"http_code": 403
},
"producer": {
"modsecurity": "ModSecurity v3.0.14 (Linux)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/4.14.0\""
]
},
"messages": [
{
"message": "PHP Injection Attack: High-Risk PHP Function Name Found",
"details": {
"match": "Matched \"Operator `PmFromFile' with parameter `php-function-names-933150.data' against variable `REQUEST_COOKIES:XSRF-TOKEN' (Value: `eyJpdiI6ImdqTy9WNWtXRTRiMEJjQ1BYN0lHdFE9PSIsInZhbHVlIjoiMFpod0pTUmFDalBZbjRNMVpIclBTbUdRNUs0eEVyQXpk (242 characters omitted)' )",
"reference": "o20,5v1119,342",
"ruleId": "933150",
"file": "/usr/local/coreruleset-4.14.0/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf",
"lineNumber": "320",
"data": "Matched Data: rtrim found within REQUEST_COOKIES:XSRF-TOKEN: eyJpdiI6ImdqTy9WNWtXRTRiMEJjQ1BYN0lHdFE9PSIsInZhbHVlIjoiMFpod0pTUmFDalBZbjRNMVpIclBTbUdRNUs0eEVyQXpkN3NxZkI2bm5tZmQwb2RUanFSL3dscndlbmJUOXJVNHNlTkw2bWFvSC8ycVVmd3ZYZ0gzTUdpeElYNmd1RlhzdDYzNzRaVVJ2VDRqMHRCdVVWNW14UUliOFNRcEw2bUMiLCJtYWMiOiI5MzE3MzU2YTk5YzhiODMwMjcyNGE3NjVhNjkzMGQxMWY2YTY5N2Y5YzM4MTNiYjQ4M2I3Y2VkNzM3YjVhYTFlIiwidGFnIjoiIn0%3D",
"severity": "2",
"ver": "OWASP_CRS/4.14.0",
"rev": "",
"tags": [
"application-multi",
"language-php",
"platform-multi",
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
],
"maturity": "0",
"accuracy": "0"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
"details": {
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' )",
"reference": "",
"ruleId": "949110",
"file": "/usr/local/coreruleset-4.14.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"lineNumber": "222",
"data": "",
"severity": "0",
"ver": "OWASP_CRS/4.14.0",
"rev": "",
"tags": [
"anomaly-evaluation",
"OWASP_CRS"
],
"maturity": "0",
"accuracy": "0"
}
}
]
}
}Your Environment
- CRS version (e.g., v3.3.4): v4.14.0
- Paranoia level setting (e.g. PL1) : PL1
- ModSecurity version (e.g., 2.9.6): v3.0.14
- Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx v1.27.4
- Operating System and version: Debian 12
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.