MODSEC ? Cookie groundhogg-page-visits ? Error 403

  • Resolved ofmarconi

    (@ofmarconi)


    1 year, 1 month ago

    Dear Groundhogg plugin team,

    I hope this email finds you well. We are facing a challenge with our web server that is utilizing ModSecurity, a web application firewall. Our server detected potential SQL injection attempts which seem to be associated with the groundhogg-page-visits cookie added by the Groundhogg plugin. Below are the details of the log observations that led to this issue:Suspicious Data in Cookies:

    The server logs indicate that the suspicious data triggering the SQL injection detection were found within REQUEST_COOKIES:groundhogg-page-visits. This suggests that some data contained in this cookie was interpreted by ModSecurity as an SQL injection attempt.Detection Rule:

    The detection was associated with ModSecurity rule ID 942100, which is set up to identify suspicious activities associated with SQL injection attempts via libinjection.

    We are seeking your assistance to better understand how we can adjust this situation, ensuring the security of our website while effectively utilizing the Groundhogg plugin. The specific questions we have are:

    1. Is there any specific setting in the Groundhogg plugin that can be adjusted to prevent these types of detections from occurring?
    2. Is the Groundhogg plugin known to be compatible with ModSecurity? If so, is there any documentation or guide you can share on how to configure both to work in harmony?
    3. If there is any known conflict between Groundhogg and ModSecurity, is there a recommended solution or best practice to resolve this conflict?

    We thank you in advance for your assistance and are available to provide any additional information required or to work with you to resolve this issue.

    Warm regards,
    Marks

    ERROR_LOG:

---k3n6gq1W---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: sos found within REQUEST_COOKIES:groundhogg-page-visits: [["/XXXXXXX/",[[XXXXXXXX,0],[XXXXXXXX,0]]],["/",[[XXXXXXXX,0],[XXXXXXXX,0],[XXXXXXXX,0]]],["/XXXXXXX/XXXXXXX/",[[XXXXXXXX (11 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [hostname "XXXXXXX"] [uri "/XXXXXXX/XXXXXXX/XXXXXXX.html"] [unique_id "XXXXXXXXXXXXXXXX"] [ref "v1787,140"]
ModSecurity: Access denied with code 302 (phase 2). Matched "Operator Ge' with parameter5' against variable TX:ANOMALY_SCORE' (Value:5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "XXXXXXX"] [uri "/XXXXXXX/XXXXXXX/XXXXXXX.html"] [unique_id "XXXXXXXXXXXXXXXX"] [ref ""]

---k3n6gq1W---Z--
Viewing 1 replies (of 1 total)
  • Plugin Author Adrian Tobey

    (@trainingbusinesspros)

    Hi, thanks for reaching out! I’ve personally never seen that before.

    MOD SECURITY is a seperate system from PHP, so I don’t believe there is any setting or adjustment, besides the structure of the cookie itself, that could impact whether it’s detected as an issue.

    We have 1,000s of customers using MOD SEC with Groundhogg, but have yet to encounter this specific problem.

    The content of the cookie is simple JSON data, and the system it’s paired with is pretty clamped down from a sanitization perspective given it’s public nature.

    I believe the best course of action would be to mark it as a false positive if possible.

Viewing 1 replies (of 1 total)
  • The topic ‘MODSEC ? Cookie groundhogg-page-visits ? Error 403’ is closed to new replies.