nginx – WAF Modsecurity CRS rule not deduct HTML tags

we have used modsecurity nginx owasp coreruleset-3.3 in our nginx webserver. Below are the input from web ui.

1. {
  "data": {
    "id": 1002,
    "email": "testmodsec@gmail.com",    
    "name": "ske<h1 onmouseover="console.log(\"js\")">test</h1>",
    "locale": "en",
    "category": 1,
    "status": 0,
  }
}

2. {
  "data": {
    "id": 1002,
    "email": "testmodsec@gmail.com",    
    "name": "ske<img src=""onerror="alert(1)">",
    "locale": "en",
    "category": 1,
    "status": 0,
  }
}

3. {
  "data": {
    "id": 1002,
    "email": "testmodsec@gmail.com",    
    "name": "ske<h1>test</h1>",
    "locale": "en",
    "category": 1,
    "status": 0,
  }
}

Input 1 & 2 triggered by HTML Injection crs rule-941, but for input 3 crs rule-941320 HTML Tag handler not triggered.

We need to block all 3 inputs by modsec crs rules.

Used coreruleset version v3.3

please help

Read more here: Source link