I have a cookie by the name of CFAUTHORIZATION_cfadmin which is triggering a
sql injection OWASP base rule. I have in the past successfully circumvented it
with
SecRuleUpdateTargetById 981318
"!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin"
I have this rule in a file called whitelist.conf, and this is being included in
my modsecurity_iis.conf file:
Include modsecurity.conf
Include modsecurity_crs_10_setup.conf
Include whitelist.conf
Include owasp_crs\base_rules\*.conf
#Include pbncustom.conf
Modsecurity_iis.conf is being referred to as the base config file in the IIS
directive in the application host file like this:
<ModSecurity enabled="true" configFile="C:\Program
Files\ModSecurity IIS\modsecurity_iis.conf" />
But when I make a request, each of the http gets in a request triggers the
warning about the CFAUTHORIZATION_cfadmin cookie. (The problem is that the
value for the cookie has double quotes around it, which is as far as I know not
changeable.)
[client 127.0.0.1:51619] ModSecurity: Access denied with code
403 (phase 2). Pattern match
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
at
REQUEST_COOKIES:CFAUTHORIZATION_cfadmin.
Does anyone know what might be going on here? I had some confusion about the
SecRuleUpdateTargetByID directive, since some sources made Target plural, and
some had it in singular – even in the same resource.
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
