_cf_bm cookie and OWASP/Modsecurity rule set

I see a lot of false positives in ModSecurity using the OWASP rule set which are triggered by random characters in the _cf_bm cookie. The specific OWASP rules being triggered seem to be 941120 (XSS Filter) (Pattern match “(?i)[\s”’`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" at REQUEST_COOKIES:__cf_bm) and 941100 (XSS Attack detected) (Matched Data: XSS data found within REQUEST_COOKIES:__cf_bm).

As the OWASP ruleset is very widely distributed, it seems to me that Cloudflare developers should be careful to take steps to assure that the _cf_bm cookies will not generate character sequences that will trigger these rules – the end result is that users are having access blocked server-side by ModSecurity activity.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.