Browser integrity check

mike8702 · February 6, 2021, 11:36am

Hi,
The browser integrity check cookie “__cf_bm” content is sometimes causing the Apache XSS protection to block legitimate users for 30 minutes with a server origin 403 forbidden error.

Either Cloudflare needs to fix the content in this cookie or I will have no choice but to turn of the browser integrity check.

Here is an example of the error in the Apache error log:

[Tue Jan 05 23:09:45.338035 2021] [:error] [pid 17154:tid 47339265853184] [client 162.158.134.89:41030] [client 162.158.134.89] ModSecurity: Warning. Pattern match “(?i)([\\s\”'`;\\/0-9\\=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=)" at REQUEST_COOKIES:__cf_bm. [file “/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “52”] [id “941120”] [rev “2”] [msg “XSS Filter - Category 2: Event Handler Vector”] [data “Matched Data: 6/ONnlA= found within REQUEST_COOKIES:__cf_bm: e7d6d8c75e2ed32e8df8aeec1f75b51f31bc108d-1609884524-1800-ARIEgF/IeFXMn2pPvX6HvgI6qdswSbW19s1FuP5cyDcGVUJvDatI1KOyJT0B wxnhhOSzp4J5Z9Eb5vQcZ9iA0Qshk/1MmsflkSYrUqiLnRpsElAqGNGSHQh4xf6/ONnlA==”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “4”] [accuracy “8”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A3”] [tag “OWASP_AppSensor/IE1”] [tag “CAPEC-242”] [hostname “www.example.com”] [uri “/index”] [unique_id “X-TjqYndzK8uIBgtE0D1RQAAABA”], referer: https://www.example.com

Can Cloudflare fix this issue in the cookie content so the webservers don’t block legitimate users?

sdayman · February 6, 2021, 1:40pm

Are you saying it’s a malicious cookie…sometimes?

mike8702 · February 6, 2021, 1:55pm

No, the cookie is not malicious but the webserver think it is. My website has about 2000 users per day and this happens to 5 people a day depending on what the cookie value is. So most of the time there are no problems

sdayman · February 6, 2021, 2:06pm

Then it’s a false positive and the server’s test need to be updated.

mike8702 · February 6, 2021, 2:47pm

I understand your point. But why does Cloudflare use dangerous XSS characters in the cookie in the first place?
This is a Hostgator dedicated Linux server, nothing “home made”. I created this post to let everyone know this can be a problem but I will have to turn the BIC off unfortunatly. I don’t have the knowledge how to edit these Apache rules. If Cloudflare would use normal characters in the cookie this problem would not exist.

Thanks anyway!

sandro · February 6, 2021, 2:52pm

That’s the point, there’s nothing dangerous and nothing XSS in there. Your rule is simply broken and needs to be adjusted as @sdayman already pointed out.

system · February 7, 2021, 2:53pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_cf_bm cookie and OWASP/Modsecurity rule set Security	1	2348	October 5, 2021
API request blocked by Browser integrity check Security	12	2834	June 18, 2022
Issue troubleshooting/remediating browser integrity check Security dash-troubleshooting	2	2462	May 1, 2019
Top Threat Type Previous 30 days Bad browser Security	3	1984	June 22, 2022
Security level / browser checks Security	4	1908	December 10, 2021

Browser integrity check

Related topics