I'm trying to configure mod_security on CentOS 7 for apache2.4 with the OWASP ruleset.
The thing is my web app generates a cookie with — characters and it gets flagged as an SQLI. I read the following article how to whitelist a certain cookie string in ModSecurity to try and disable the guilty cookie but I had no luck with that : I still get a 403 forbidden.
What I tried was to add to my whitelist.conf (in the modsecurity.d/ folder) the following rule: SecRuleUpdateTargetByMsg "SQL Comment Sequence Detected." !REQUEST_COOKIES:/^*Titlebox* (on the same line ofc):
I get a 403 forbidden if the cookie is present.
I tried to create a file as indicated in the article and added the rule to a
/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_61_customrules.conf file and still nothing:I get blocked.
It's problematic since this cookie is legit.
Did the way to fix that problem change in the current version of mod_security ? Or I'm still doing things wrong ?
Thanks for your help.
edit:
With the rule per ID looking like this:
SecRuleUpdateTargetById 981172 !REQUEST_COOKIES_NAMES:/^TitleBox/
It works
With the one per Message like this:
SecRuleUpdateTargetByMsg "SQL Comment Sequence Detected." !REQUEST_COOKIES_NAMES:/^TitleBox
It does not work and still blocks my cookie
Best Answer
The question you linked to was about whitelisting rule 981231 which looks like this:
You are trying to whitelist 981172 which looks like this:
As you can see the message is different for this rule, so you are whitelisting the wrong message. Hence why it is not working for you.