Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED ModSecurity (OWASP CRS) cookie not "whitelisting"

Discussion in 'Security' started by ItsMattSon, Jan 22, 2017.

  1. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi guys,

    I've been a bit back and forth trying to "whitelist" a Magento2 Cookie which triggers Rule 981243 in OWASP CRS for apparent SQLi injection probing.


    When attempting to add SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:section_data_ids into ModSecurity Tools > Rules List > Add Rule, Apache flips out about ruleset not being in context which I learned to be something that happens because of VirtualHost scope (above my head, so I moved on and tried something else).

    I then read another thread on here and someone mentioned they add their SecRuleUpdateTargetByID rule, like mine, to a file here: /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_20_customrules.conf but through all my attempts I can't seem to "whitelist" that Cookie..

    It still shows in the log and the browser continues to go into a redirect loops when OWASP rule is enabled (i don't want to disable the rule).

    To be honest, I'm not even sure if that customrules file is being loaded? Anything obvious that I'm doing wrong here?

    Thanks in advance!
     
  2. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi all,

    Been tinkering with this since that last post and I'm no closer I'm afraid.

    I actually tried adding
    SecRuleUpdateTargetById 981243 "!REQUEST_COOKIES" with and without quotations to /etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-00-LOCAL-WHITELIST.conf also but the cookies are still being checked and still causing my site to be thrown into a redirect loop.

    The only way to not have the site go into a redirect loops is to 1) ModSecurity Configuration > Rules Engine > Set to process rules in verbose mode only (whereby no action is taken); or 2) Disable the rule (981243); or 3) Disable OWASP CRS altogether.

    I've tried adding it to all manner of "modsec2.user.conf" files throughout the server also to no avail.

    Though, at a glance, it seems to be a modsecurity problem and not a cPanel concern, I feel that it fits the discussion here at cPanel forums because I can't add the rule to the Rules list in ModSecurity Tools > Rules List > Add Rule without Apache flipping out on account of an 'out of context' VirtualHost scope error. Surely that's where i'm *supposed* to add custom rules? (but I can't)

    If not, where? And is restarting Apache enough to have them take effect?
     
  3. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi all,

    Just an update. I believe I've resolved this now.

    Originally, I was trying to use SecRuleUpdateTargetByID which apparently runs before "the merge of contexts" so it wouldn't work in ModSecurity Tools > Rules List > Add Rule. I installed ConfigServer ModSecurity Control to see if that'd help me and I liked it but having that installed seemed to load the rules twice, which threw "rule already exists with that ID" errors so I had to uninstall it.

    In the end, I had to resort to SecAction and SecRule and managed to craft the below, which does the trick. Hopefully it will help any server admins running OWASP CRS that have customers with a requirement for Magento2.


    • # Rule 981243 needs to ignore Magento2's section_data_ids Cookie.
      SecAction "id:1,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByID=981243;REQUEST_COOKIES:section_data_ids"
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see you were able to address the issue. Thank you for updating us with the solution.
     
Loading...

Share This Page