RO3B
May 16, 2022, 3:49pm
1
Hi Guys, My website use to work normally after I followed the instruction to enable and install ModSecurity.
The URL like this would be blocked by the ModSecurity:
https://example.com/add_funds/stripe3ds/complete?session_id=cs_live_a14EHSM5SIWbb5DhvF&paymentOption=stripe3ds&orderId=ORDS165271
Please help & Thank you
See from logs which rule block that and disable it.
2 Likes
I have the same problem, how did you solve it? @RO3B ?
[cyberpanel modsecurity]
signature based firewall . LiteSpeed Web Server has its own high-performance ModSecurity engine, offering excellent compatibility and performance. LiteSpeed/OpenLiteSpeed works well with popular ModSecurity rules sets such as OWASP, Atomicorp, Comodo, and CloudLinux Imunify360.
Even though its a sig…
Can you check that which rule is blocking this request and disable that specific rule.
1 Like
Thanks!
Wouldn’t it be possible to disable it by adding a rule?
From what I understand the only way is to identify the package and disable the item completely, right?
I’ve tried and it doesn’t work to add a rule like this for example:SecRule REQUEST_URI "@contains landingpages" "id:1001,phase:1,t:none,pass, nolog,ctl:ruleRemoveById=943120",
it would not be ideal to disable one of these items as the false positive is only in a URL.
thx
It only worked when I went to the file and deleted line 79:
SecRule REQUEST_URI "@contains landingpages" "id:1001,phase:1,t:none,pass, nolog,ctl:ruleRemoveById=943120",
It doesn’t work if you add the rules via cyberpanel
When you update cyberpanel your edit will be overwritten. You can go on cyberpanel modsecurity settings and disable rule 943.
I did that, it really works, but shouldn’t the rules work?
I would like to disable 943 just for the specific URL, so all my other 20 sites are vulnerable to these attacks because of a single URL.
This ticket continues here:
opened 01:42PM - 25 Aug 22 UTC
closed 01:06PM - 26 Aug 22 UTC
### Description
I'm using Stripe as a checkout, when it returns the customer … to the site, it has a hook called "session_id", if it is in the URL the 403 error is printed.
LOG:
> ModSecurity: Warning. Matched "Operator Eq' with parameter 0' against variable REQUEST_HEADERS:Referer' (Value: 0' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "79"] [id "943120"] [rev ""] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS:Referer: 0"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/225/21/593/61"] [hostname "site.com.br"] [uri "/landingpages/moto/"] [unique_id "1661220656"] [ref "o0,10v86,10t:urlDecodeUni,t:lowercase"]
> ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "site.com.br"] [uri "/landingpages/moto/"] [unique_id "1661220656"] [ref ""]
### Your Environment
My server is Ubuntu 20.04, Cyberpanel with OLS
* CRS version (e.g., v3.2.0): OWASP_CRS/3.3.2
* Paranoia level setting: 1
* ModSecurity version (e.g., 2.9.3): owasp 3.0
* Web Server and version (e.g., apache 2.4.41): Open Lite Speed
* Operating System and version: Ubuntu 20.04
Enable:
1 | owasp | crs-setup.conf |
2 | owasp | REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf |
3 | owasp | REQUEST-901-INITIALIZATION.conf |
4 | owasp | REQUEST-905-COMMON-EXCEPTIONS.conf |
5 | owasp | REQUEST-910-IP-REPUTATION.conf |
6 | owasp | REQUEST-911-METHOD-ENFORCEMENT.conf |
7 | owasp | REQUEST-912-DOS-PROTECTION.conf |
8 | owasp | REQUEST-913-SCANNER-DETECTION.conf |
9 | owasp | REQUEST-920-PROTOCOL-ENFORCEMENT.conf |
10 | owasp | REQUEST-921-PROTOCOL-ATTACK.conf |
11 | owasp | REQUEST-930-APPLICATION-ATTACK-LFI.conf |
12 | owasp | REQUEST-931-APPLICATION-ATTACK-RFI.conf |
13 | owasp | REQUEST-932-APPLICATION-ATTACK-RCE.conf |
14 | owasp | REQUEST-933-APPLICATION-ATTACK-PHP.conf |
15 | owasp | REQUEST-941-APPLICATION-ATTACK-XSS.conf |
16 | owasp | REQUEST-942-APPLICATION-ATTACK-SQLI.conf |
17 | owasp | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf |
18 | owasp | REQUEST-949-BLOCKING-EVALUATION.conf |
19 | owasp | RESPONSE-950-DATA-LEAKAGES.conf |
20 | owasp | RESPONSE-951-DATA-LEAKAGES-SQL.conf |
21 | owasp | RESPONSE-952-DATA-LEAKAGES-JAVA.conf |
22 | owasp | RESPONSE-953-DATA-LEAKAGES-PHP.conf |
23 | owasp | RESPONSE-954-DATA-LEAKAGES-IIS.conf |
24 | owasp | RESPONSE-959-BLOCKING-EVALUATION.conf |
25 | owasp | RESPONSE-980-CORRELATION.conf |
26 | owasp | RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
### Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
