RO3B
May 16, 2022, 3:49pm
1
Hi Guys, My website use to work normally after I followed the instruction to enable and install ModSecurity.
if any of my customers want to pay using stripe after payment when he clicks on return to the merchant they will have ‘‘403 Forbbiden error’’ and their balance will not be updated.
And in the same time, I can’t deactivate the security. How can I fix this problem ??
The URL like this would be blocked by the ModSecurity:
https://example.com/add_funds/stripe3ds/complete?session_id=cs_live_a14EHSM5SIWbb5DhvF&paymentOption=stripe3ds&orderId=ORDS165271
Please help & Thank you
See from logs which rule block that and disable it.
2 Likes
I have the same problem, how did you solve it? @RO3B ?
[cyberpanel modsecurity]
What is ModSecurity?
ModSecurity is an open-source web application firewall (or WAF). There are different sorts of firewalls available in today’s market but ModSecurity is signature based firewall . LiteSpeed Web Server has its own high-performance ModSecurity engine, offering excellent compatibility and performance. LiteSpeed/OpenLiteSpeed works well with popular ModSecurity rules sets such as OWASP, Atomicorp, Comodo, and CloudLinux Imunify360.
Even though its a sig…
Can you check that which rule is blocking this request and disable that specific rule.
1 Like
Thanks!
Wouldn’t it be possible to disable it by adding a rule?
From what I understand the only way is to identify the package and disable the item completely, right?
I’ve tried and it doesn’t work to add a rule like this for example:
SecRule REQUEST_URI "@contains landingpages" "id:1001,phase:1,t:none,pass, nolog,ctl:ruleRemoveById=943120",
it would not be ideal to disable one of these items as the false positive is only in a URL.
thx
It only worked when I went to the file and deleted line 79:
usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
SecRule REQUEST_URI "@contains landingpages" "id:1001,phase:1,t:none,pass, nolog,ctl:ruleRemoveById=943120",
It doesn’t work if you add the rules via cyberpanel
When you update cyberpanel your edit will be overwritten. You can go on cyberpanel modsecurity settings and disable rule 943.
I did that, it really works, but shouldn’t the rules work?
I would like to disable 943 just for the specific URL, so all my other 20 sites are vulnerable to these attacks because of a single URL.
This ticket continues here:
opened 01:42PM - 25 Aug 22 UTC
closed 01:06PM - 26 Aug 22 UTC
False Positive
### Description
I'm using Stripe as a checkout, when it returns the customer … to the site, it has a hook called "session_id", if it is in the URL the 403 error is printed.
LOG:
> ModSecurity: Warning. Matched "Operator Eq' with parameter 0' against variable REQUEST_HEADERS:Referer' (Value: 0' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "79"] [id "943120"] [rev ""] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS:Referer: 0"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/225/21/593/61"] [hostname "site.com.br"] [uri "/landingpages/moto/"] [unique_id "1661220656"] [ref "o0,10v86,10t:urlDecodeUni,t:lowercase"]
> ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "site.com.br"] [uri "/landingpages/moto/"] [unique_id "1661220656"] [ref ""]
### Your Environment
My server is Ubuntu 20.04, Cyberpanel with OLS
* CRS version (e.g., v3.2.0): OWASP_CRS/3.3.2
* Paranoia level setting: 1
* ModSecurity version (e.g., 2.9.3): owasp 3.0
* Web Server and version (e.g., apache 2.4.41): Open Lite Speed
* Operating System and version: Ubuntu 20.04
Enable:
1 | owasp | crs-setup.conf |
2 | owasp | REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf |
3 | owasp | REQUEST-901-INITIALIZATION.conf |
4 | owasp | REQUEST-905-COMMON-EXCEPTIONS.conf |
5 | owasp | REQUEST-910-IP-REPUTATION.conf |
6 | owasp | REQUEST-911-METHOD-ENFORCEMENT.conf |
7 | owasp | REQUEST-912-DOS-PROTECTION.conf |
8 | owasp | REQUEST-913-SCANNER-DETECTION.conf |
9 | owasp | REQUEST-920-PROTOCOL-ENFORCEMENT.conf |
10 | owasp | REQUEST-921-PROTOCOL-ATTACK.conf |
11 | owasp | REQUEST-930-APPLICATION-ATTACK-LFI.conf |
12 | owasp | REQUEST-931-APPLICATION-ATTACK-RFI.conf |
13 | owasp | REQUEST-932-APPLICATION-ATTACK-RCE.conf |
14 | owasp | REQUEST-933-APPLICATION-ATTACK-PHP.conf |
15 | owasp | REQUEST-941-APPLICATION-ATTACK-XSS.conf |
16 | owasp | REQUEST-942-APPLICATION-ATTACK-SQLI.conf |
17 | owasp | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf |
18 | owasp | REQUEST-949-BLOCKING-EVALUATION.conf |
19 | owasp | RESPONSE-950-DATA-LEAKAGES.conf |
20 | owasp | RESPONSE-951-DATA-LEAKAGES-SQL.conf |
21 | owasp | RESPONSE-952-DATA-LEAKAGES-JAVA.conf |
22 | owasp | RESPONSE-953-DATA-LEAKAGES-PHP.conf |
23 | owasp | RESPONSE-954-DATA-LEAKAGES-IIS.conf |
24 | owasp | RESPONSE-959-BLOCKING-EVALUATION.conf |
25 | owasp | RESPONSE-980-CORRELATION.conf |
26 | owasp | RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
### Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.