OWASP CRS ModSecurity rules not blocking malicious request body in OpenLiteSpeed

#1
I followed this tutorial: Installing and Configuring the OpenLiteSpeed ModSecurity Module • OpenLiteSpeed to install OWASP CRS.

Tested with malicious URL like:
- http://localhost:8003/attack.php?q=<script>alert(document.cookie)</script>
- http://localhost:8003/attack.php?q=/bin/bash

all works pretty well, the webserver returns 403.

But then I tried to send this JSON payload in body:
JSON:
{
    "title": "<script>alert(document.cookie)</script>"
}
the request does not get blocked.

I tried to send the same payload to CRS sandbox:
Bash:
curl -s -d @payload.json -H "x-format-output: txt-matched-rules-extended" https://sandbox.coreruleset.org
it returns with:
Code:
This payload has been tested against the OWASP ModSecurity Core Rule Set
web application firewall. The test was executed using the apache engine and CRS version 3.3.2.

The payload is being detected by triggering the following rules:

941100 PL1 XSS Attack Detected via libinjection
941110 PL1 XSS Filter - Category 1: Script Tag Vector
941160 PL1 NoScript XSS InjectionChecker: HTML Injection
941180 PL1 Node-Validator Blacklist Keywords
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 20)
980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 20 - SQLI=0,XSS=20,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 20, 0, 0, 0


CRS therefore detects this payload starting with paranoia level 1.
which indicates that the payload is malicious and should get blocked.

For more info about CRS sandbox: Introducing the CRS Sandbox – OWASP ModSecurity Core Rule Set

How to solve this problem in OpenLiteSpeed?

Thank you.
 
Top