ModSecurity on CyberPanel Problem Stripe hooks

RU

RO3B UN1X May 16, 2022, 3:49 p.m. #1

Hi Guys, My website use to work normally after I followed the instruction to enable and install ModSecurity.
if any of my customers want to pay using stripe after payment when he clicks on return to the merchant they will have ‘‘403 Forbbiden error’’ and their balance will not be updated.
And in the same time, I can’t deactivate the security. How can I fix this problem ??

The URL like this would be blocked by the ModSecurity:

https://example.com/add_funds/stripe3ds/complete?session_id=cs_live_a14EHSM5SIWbb5DhvF&paymentOption=stripe3ds&orderId=ORDS165271

Please help & Thank you

Dr

Dreamer May 16, 2022, 4:16 p.m. #2

See from logs which rule block that and disable it.

of

ofm1990 Aug. 21, 2022, 3:39 p.m. #3

I have the same problem, how did you solve it? @RO3B ?

RM

Rana Muhammad Usman Nasir Aug. 25, 2022, 6:46 a.m. #4

Can you check that which rule is blocking this request and disable that specific rule.

of

ofm1990 Aug. 25, 2022, 1:26 p.m. #6

Thanks!

Wouldn’t it be possible to disable it by adding a rule?

From what I understand the only way is to identify the package and disable the item completely, right?

I’ve tried and it doesn’t work to add a rule like this for example:
SecRule REQUEST_URI "@contains landingpages" "id:1001,phase:1,t:none,pass, nolog,ctl:ruleRemoveById=943120",

it would not be ideal to disable one of these items as the false positive is only in a URL.

thx

of

ofm1990 Aug. 25, 2022, 2:22 p.m. #7

It only worked when I went to the file and deleted line 79:
usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

SecRule REQUEST_URI "@contains landingpages" "id:1001,phase:1,t:none,pass, nolog,ctl:ruleRemoveById=943120",

It doesn’t work if you add the rules via cyberpanel

Dr

Dreamer Aug. 26, 2022, 2:48 a.m. #8

When you update cyberpanel your edit will be overwritten. You can go on cyberpanel modsecurity settings and disable rule 943.

of

ofm1990 Aug. 26, 2022, 3:20 a.m. #9

I did that, it really works, but shouldn’t the rules work?

I would like to disable 943 just for the specific URL, so all my other 20 sites are vulnerable to these attacks because of a single URL.

of

ofm1990 Aug. 26, 2022, 5:24 p.m. #10

This ticket continues here:

github.com/coreruleset/coreruleset

Stripe checkout return url respond 403 (session_id)

opened 01:42PM - 25 Aug 22 UTC

closed 01:06PM - 26 Aug 22 UTC

False Positive

### Description I'm using Stripe as a checkout, when it returns the customer …to the site, it has a hook called "session_id", if it is in the URL the 403 error is printed. LOG: > ModSecurity: Warning. Matched "Operator Eq' with parameter 0' against variable REQUEST_HEADERS:Referer' (Value: 0' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "79"] [id "943120"] [rev ""] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS:Referer: 0"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/225/21/593/61"] [hostname "site.com.br"] [uri "/landingpages/moto/"] [unique_id "1661220656"] [ref "o0,10v86,10t:urlDecodeUni,t:lowercase"] > ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "site.com.br"] [uri "/landingpages/moto/"] [unique_id "1661220656"] [ref ""] ### Your Environment My server is Ubuntu 20.04, Cyberpanel with OLS * CRS version (e.g., v3.2.0): OWASP_CRS/3.3.2 * Paranoia level setting: 1 * ModSecurity version (e.g., 2.9.3): owasp 3.0 * Web Server and version (e.g., apache 2.4.41): Open Lite Speed * Operating System and version: Ubuntu 20.04 Enable: 1 | owasp | crs-setup.conf | 2 | owasp | REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf | 3 | owasp | REQUEST-901-INITIALIZATION.conf | 4 | owasp | REQUEST-905-COMMON-EXCEPTIONS.conf | 5 | owasp | REQUEST-910-IP-REPUTATION.conf | 6 | owasp | REQUEST-911-METHOD-ENFORCEMENT.conf | 7 | owasp | REQUEST-912-DOS-PROTECTION.conf | 8 | owasp | REQUEST-913-SCANNER-DETECTION.conf | 9 | owasp | REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 10 | owasp | REQUEST-921-PROTOCOL-ATTACK.conf | 11 | owasp | REQUEST-930-APPLICATION-ATTACK-LFI.conf | 12 | owasp | REQUEST-931-APPLICATION-ATTACK-RFI.conf | 13 | owasp | REQUEST-932-APPLICATION-ATTACK-RCE.conf | 14 | owasp | REQUEST-933-APPLICATION-ATTACK-PHP.conf | 15 | owasp | REQUEST-941-APPLICATION-ATTACK-XSS.conf | 16 | owasp | REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 17 | owasp | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf | 18 | owasp | REQUEST-949-BLOCKING-EVALUATION.conf | 19 | owasp | RESPONSE-950-DATA-LEAKAGES.conf | 20 | owasp | RESPONSE-951-DATA-LEAKAGES-SQL.conf | 21 | owasp | RESPONSE-952-DATA-LEAKAGES-JAVA.conf | 22 | owasp | RESPONSE-953-DATA-LEAKAGES-PHP.conf | 23 | owasp | RESPONSE-954-DATA-LEAKAGES-IIS.conf | 24 | owasp | RESPONSE-959-BLOCKING-EVALUATION.conf | 25 | owasp | RESPONSE-980-CORRELATION.conf | 26 | owasp | RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ### Confirmation [x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Sign in to reply