3

Scenario:

  • ModSecurity with a "default" or "generic" configuration (like the one that might be provided by shared hosting providers, for example).
  • Generic web application (custom, uncommon, or unknown), for which specific rules are not provided by ModSecurity.

How useful is ModSecurity in this situation? What percentage of attacks is it going to prevent? What kind of attacks?

Reason for asking this question: there is a web application that, to avoid issues with ModSecurity default rules, suggests to disable it for this specific application if it is causing any trouble. That doesn't sound like great advice to me, however I'm not sure if the default ModSecurity configuration is actually significantly more useful than having no ModSecurity at all (disabled).

reed
  • 15,398
  • 6
  • 43
  • 64
  • 1
    How useful something depends on how important *availability* is in relation to security. It also depends on where the application is deployed; who has access; what data it protects etc. Security is all about tradeoffs and how much risk you can/want to tolerate. – Daisetsu Oct 05 '18 at 20:15

3 Answers3

1

TL;DR: Not really useful for security, and will probably break the app somehow.

A lot of ModSecurity's default rules are the textbook example of how not to protect from attacks. XSS is the best example: they block requests that look like they contain certain HTML tags, thus breaking any site where people try to post innocuous code samples. (The correct way to defend against XSS is to escape user-provided data that ends up in HTML, without having to block any data outright.) The rest of its rules follow similar patterns, blocking things that "look" dangerous but aren't actually dangerous if the app is written correctly, and are highly prone to false positives. As such, all ModSecurity is really good for is security theater, or checking a box that you have a WAF to satisfy some regulation. There's no real harm in turning it off, and it doesn't reflect badly on the software at all that it tells you to. (Even MediaWiki, which powers Wikipedia, tells you to turn it off.)

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
  • I would say it is very much dependent on the type of app you have, probably for a large free text field app, modSecurity would require a reasonable amount of tweaking. But, for our app, which is pretty large about 5 / 6 million requests daily it has proved very beneficial. – Darragh Oct 18 '18 at 17:32
  • 1
    This exactly my finding. I had way more problems with it. The default rules would block all sorts of perfectly legitimate requests! – Alexis Wilke Jul 19 '19 at 04:42
0

We have found modSecurity to be very beneficial, it does produce a small percentage of false positives in our experience.

Our advice would be to use the anomaly scoring mode[1], we have found this approach more beneficial than traditional scoring.

An important consideration is the type of Web App (or App) you are implementing. For example if your app is very 'text' / 'wordy' i.e., a lot of free text fields, then the likelihood of false positives will grow. ModSecurity with anomaly scoring is trying to do a best guess, it is all based on regular expressions.

Some figures from our app, we have approximately 110 million monthly requests, and we get a very low percentage of false positives.

I would also point out with modSecurity you can whitelist contentTypes, HTTP methods etc. It is more than scanning for SQL injection and XSS.

We certainly would not turn modSecurity off.

Hope this helps somewhat.

[1] Anomaly Scoring. https://www.modsecurity.org/CRS/Documentation/anomaly.html

Darragh
  • 1,102
  • 9
  • 15
-1

ModSecurity maintains just a few rules on their configuration, so unless you are also adding proper protection rules such OWASP CRS or whatever rule set it is not much different from having it or not.

I would stay away from an application that advice to turn the WAF off, if they cannot deal with a WAF, they should tell is not under their support scope but that may be a company culture so they may have no security built-in.

Manuel Spartan
  • 67
  • 5