I have web traffic flowing through ModSecurity.
Within the ModSecurity configuration I am calling a Lua script that is running some simple analysis on the arguments of request string. Specifically, it is checking for evidence of Cross-Site Scripting and will block the incoming traffic if there exists some evidence.
The ModSecurity rule engine configuration is as follows:
SecRuleEngine On
SecRuleScript "/path/to/lua/script/detectXSS.lua" "block"
An illustrative example of the lua script is as follows:
function main()
-- Retrieve script parameters
local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } );
-- Loop through the parameters
for i = 1, #d do
-- Examine parameter value.
if (string.find(d[i].value, "<script")) then
return ("Suspected XSS in variable " .. d[i].name .. ".");
end
end
-- Nothing wrong found.
return nil;
end
Although XSS can be detected and returned, the blocking functionality is not occurring. Is there something obvious missing? Any help would be greatly appreciated.
Cheers