ModSec Core OWASP Core Ruleset v3.0.2 False Positives
Hello,
In the past week I have seen a large increase in the number of false positives produced by the OWASP Core Ruleset v3.0.2.
The primary cause is a rule related to preventing SSRF.
The rule blocks any HTTP request which contains a new line followed by any HTTP method.
For example, a request containing "\r\nHead of Department" triggers the rule.
I have never seen these rules being triggered before, and I have identified requests which were made prior to last week that contained such content and were not blocked.
Has cPanel's v3.0.2 of the ModSecc rule sets been updated recently? If so, is there any changelog associated with this, or information which will help identify and resolve other false positives?
Another false positive which was triggered involved the "Asside from" being included in a request.
Thanks in advance.
-
Hey there! The ModSecurity changelogs are under the EasyApache changelogs area here:
https://docs.cpanel.net/changelogs/
I see the last update was in July 2023 with this entry:
- EA-11564: Update
ea-modsec2-rules-owasp-crs
from 3.3.4 to 3.3.5.
0 - EA-11564: Update
Please sign in to leave a comment.
Comments
1 comment