Browser integrity check

Hi,
The browser integrity check cookie “__cf_bm” content is sometimes causing the Apache XSS protection to block legitimate users for 30 minutes with a server origin 403 forbidden error.

Either Cloudflare needs to fix the content in this cookie or I will have no choice but to turn of the browser integrity check.

Here is an example of the error in the Apache error log:

[Tue Jan 05 23:09:45.338035 2021] [:error] [pid 17154:tid 47339265853184] [client 162.158.134.89:41030] [client 162.158.134.89] ModSecurity: Warning. Pattern match “(?i)([\\s\”’`;\\/0-9\\=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=)" at REQUEST_COOKIES:__cf_bm. [file “/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “52”] [id “941120”] [rev “2”] [msg “XSS Filter - Category 2: Event Handler Vector”] [data “Matched Data: 6/ONnlA= found within REQUEST_COOKIES:__cf_bm: e7d6d8c75e2ed32e8df8aeec1f75b51f31bc108d-1609884524-1800-ARIEgF/IeFXMn2pPvX6HvgI6qdswSbW19s1FuP5cyDcGVUJvDatI1KOyJT0B wxnhhOSzp4J5Z9Eb5vQcZ9iA0Qshk/1MmsflkSYrUqiLnRpsElAqGNGSHQh4xf6/ONnlA==”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “4”] [accuracy “8”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A3”] [tag “OWASP_AppSensor/IE1”] [tag “CAPEC-242”] [hostname “www.example.com”] [uri “/index”] [unique_id “X-TjqYndzK8uIBgtE0D1RQAAABA”], referer: https://www.example.com

Can Cloudflare fix this issue in the cookie content so the webservers don’t block legitimate users?

Are you saying it’s a malicious cookie…sometimes?

No, the cookie is not malicious but the webserver think it is. My website has about 2000 users per day and this happens to 5 people a day depending on what the cookie value is. So most of the time there are no problems

Then it’s a false positive and the server’s test need to be updated.

I understand your point. But why does Cloudflare use dangerous XSS characters in the cookie in the first place?
This is a Hostgator dedicated Linux server, nothing “home made”. I created this post to let everyone know this can be a problem but I will have to turn the BIC off unfortunatly. I don’t have the knowledge how to edit these Apache rules. If Cloudflare would use normal characters in the cookie this problem would not exist.

Thanks anyway!

That’s the point, there’s nothing dangerous and nothing XSS in there. Your rule is simply broken and needs to be adjusted as @sdayman already pointed out.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.