I have web traffic flowing through ModSecurity.
Within the ModSecurity configuration I am calling a Lua script that is running some simple analysis on the arguments of request string. Specifically, it is checking for evidence of Cross-Site Scripting and will block the incoming traffic if there exists some evidence.
The ModSecurity rule engine configuration is as follows:
SecRuleEngine On
SecRuleScript "/path/to/lua/script/detectXSS.lua" "block"
An illustrative example of the lua script is as follows:
function main()
-- Retrieve script parameters
local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } );
-- Loop through the parameters
for i = 1, #d do
-- Examine parameter value.
if (string.find(d[i].value, "<script")) then
return ("Suspected XSS in variable " .. d[i].name .. ".");
end
end
-- Nothing wrong found.
return nil;
end
Although XSS can be detected and returned, the blocking functionality is not occurring. Is there something obvious missing? Any help would be greatly appreciated.
Cheers
Best Answer
Despite what you might think
block
does not actually block requests. You need to usedeny
for that.The reason for this is
block
is a specially defined action that you can then define how to handle. You could deny, just log, or redirect to an error page when your rule blocks. This is set with the SecDefaultAction and the default is to pass the rule as shown here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction. While this might not seem to make sense it also allows you to do things like switching anomaly scoring on or off easily in the OWASP CRS.So either change your SecRuleScipt to
deny
rather thanblock
:Or alternatively set the default
block
action to deny:See here for more details on
block
: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#block