Route GET /favicon triggers XSS rule for no apparent reason

[Docteur-RS]

Hey,

For some reason Naxsi is blocking the call to /favicon when accessing Gitlab.
The only thing that works is to deactivate the rule (1315) that is triggerd.

---

• The error log :

[error] 26#26: *50 NAXSI_FMT: ip=xx.xx.xx.xx&server=mydns&uri=/favicon.ico&learning=0&vers=0.56&total_processed=15&total_blocked=10&block=1&
cscore0=$SQL&score0=4&cscore1=$XSS&score1=8&zone0=HEADERS&id0=1007&var_name0=cookie&zone1=HEADERS&id1=1315&var_name1=cookie, client: xx.xx.xx.xx, server: mydns_temp, reque
st: "GET /favicon.ico HTTP/1.1", host: "mydns", referrer: "https://mydns/"

• My current nginx config :

server {
    listen 443 ssl;
    server_name usinelog_temp;
    ssl_certificate /usr/share/nginx/certificates/fullchain.pem;
    ssl_certificate_key /usr/share/nginx/certificates/privkey.pem;
    include /etc/ssl-options/options-nginx-ssl.conf;
    ssl_dhparam /etc/ssl-options/ssl-dhparams.pem;
    location / {
        SecRulesEnabled;
        #LearningMode;
        DeniedUrl "/denied";
        CheckRule "$SQL >= 8" BLOCK;
        CheckRule "$RFI >= 8" BLOCK;
        CheckRule "$TRAVERSAL >= 4" BLOCK;
        CheckRule "$EVADE >= 4" BLOCK;
        CheckRule "$XSS >= 8" BLOCK;
        

 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://xx.xx.xx.xx;
    }
}

I added BasicRule wl:1315; to pause the rule and now its working.

But I would like to know what I'm doing wrong and how to make this working.

Thx

[wargio]

Looks like there is a parameter in that specific header that is interpret as MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;.

Check your headers.