0

I have web traffic flowing through ModSecurity.

Within the ModSecurity configuration I am calling a Lua script that is running some simple analysis on the arguments of request string. Specifically, it is checking for evidence of Cross-Site Scripting and will block the incoming traffic if there exists some evidence.

The ModSecurity rule engine configuration is as follows:

SecRuleEngine On
SecRuleScript "/path/to/lua/script/detectXSS.lua" "block"

An illustrative example of the lua script is as follows:

function main()
    -- Retrieve script parameters
    local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } );

    -- Loop through the parameters
    for i = 1, #d do
        -- Examine parameter value.
        if (string.find(d[i].value, "<script")) then
            return ("Suspected XSS in variable " .. d[i].name .. ".");
        end
    end

    -- Nothing wrong found.
    return nil;
end

Although XSS can be detected and returned, the blocking functionality is not occurring. Is there something obvious missing? Any help would be greatly appreciated.

Cheers

Futh
  • 17
  • 5

1 Answers1

1

Despite what you might think block does not actually block requests. You need to use deny for that.

The reason for this is block is a specially defined action that you can then define how to handle. You could deny, just log, or redirect to an error page when your rule blocks. This is set with the SecDefaultAction and the default is to pass the rule as shown here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction. While this might not seem to make sense it also allows you to do things like switching anomaly scoring on or off easily in the OWASP CRS.

So either change your SecRuleScipt to deny rather than block:

SecRuleEngine On
SecRuleScript "/path/to/lua/script/detectXSS.lua" "deny"

Or alternatively set the default block action to deny:

SecRuleEngine On
SecDefaultAction "phase:2,deny"
SecRuleScript "/path/to/lua/script/detectXSS.lua" "block"

See here for more details on block: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#block

Barry Pollard
  • 4,461
  • 14
  • 26
  • Thank you very much for this excellent answer. The `deny` action worked well. It would be great to be able to `block` the individual arguments that were found to be suspicious. But alas, thanks. – Futh Aug 10 '16 at 22:13
  • ModSecurity usually works on blocking the whole request based on particular arguments, rather than trying to sanitise requests to only allow good arguments through. – Barry Pollard Aug 10 '16 at 22:16