Root Cause Analysis of Cross-Origin Request Errors Triggered by WAF XSS Filtering

This document describes how to pinpoint and resolve a cross‑origin error that occurred when a business backend form was submitted, initially appearing as a CORS failure.

The HTTP request path was examined: the browser queries the ISP DNS for the IP, sends the request to Nginx, which proxies to the web server, and finally the response is returned. Diagrams illustrate each stage.

Investigation revealed that the form used application/json POST and the system employed a front‑back separation architecture with CORS already configured in Nginx.

Step 1 – Self‑testing: By modifying individual form fields, the moduleExport field was identified as the trigger. Reducing the size of the JavaScript code in this field eliminated the error, suggesting a possible request‑body size limit.

Step 2 – HTTP body limit checks: The response code from LVS was 418, not 502, so LVS was excluded. Nginx’s configuration allowed up to 50 MB (the request was ~2 MB), and Tomcat’s maxPostSize was set to -1 (unlimited). Both layers were ruled out.

Step 3 – Collaborative review: Operations discovered an Ingress layer with a 3072 MB limit, also not the cause. Security indicated that the company’s XSS protection could return a cross‑origin error when validation fails.

Further packet captures showed the request reaching a WAF server (IP matched the WAF) and returning status 418, confirming WAF involvement.

The offending payload was the module.exports.items.properties.configs.config.validator field, which matched a high‑risk XSS rule in the WAF.

Step 4 – WAF investigation: Detailed packet traces and the WAF’s rule set were examined, confirming that the validator function triggered the XSS filter.

Problem analysis: The root cause was the WAF’s XSS detection flagging legitimate JSON content as malicious, leading to a false CORS error.

The article also explains CORS fundamentals, same‑origin policy, and common cross‑origin solutions (IFRAME, JSONP, CORS), followed by an overview of XSS attacks and mitigation techniques such as HTTPOnly cookies and character escaping.

Resolution: After the security team adjusted the WAF rule set, the form submission succeeded and the issue was closed.

Summary and recommendations: Use controlled variable testing to isolate problems, become familiar with each network component’s responsibilities, and maintain up‑to‑date WAF rules to avoid false positives.

module.exports = {
    "labelWidth": 80,
    "schema": {
        "title": "XXX",
        "type": "array",
        "items":{
            "type":"object",
            "required":["key","value"],
            "properties":{
                "conf":{
                    "title":"XXX",
                    "type":"string"
                },
                "configs":{
                    "title":"XXX",
                    "type":"array",
                    "items":{
                        // ...
                        config: {
                            // ...
                            validator: function(value, callback) {
                                // 至少填写一项
                                if(!value || !Object.keys(value).length) {
                                    return callback(new Error('至少填写一项'))
                                }
                                callback()
                            }
                        }
                        // ...
                    }
                }
            }
        }
    }
}