Description
Description
When a request exceeds the modsecurity anomaly score, access is denied for the request and redirects to 403 nginx error page even though there is a custom page added for the 403 status code in nginx configuration.
Logs and dumps
---flVTXfo9---H--
ModSecurity: Warning. Matched "Operator Within' with parameter .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (138 characters omitted)' against variable TX:EXTENSION' (Value: .config/' ) [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "988"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".config"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "14.102.2.85"] [uri "/web.config"] [unique_id "156481355738.154548"] [ref "o3,7o4,6v5,10t:urlDecodeUni,t:lowercaseo77,8"]
ModSecurity: Warning. Matched "Operator PmFromFile' with parameter restricted-files.data' against variable REQUEST_FILENAME' (Value: /web.config' ) [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "105"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /Web.config found within REQUEST_FILENAME: /web.config"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "14.102.2.85"] [uri "/web.config"] [unique_id "156481355738.154548"] [ref "o0,11v4,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 10' ) [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "14.102.2.85"] [uri "/web.config"] [unique_id "156481355738.154548"] [ref ""]
ModSecurity: Warning. Matched "Operator Ge' with parameter 5' against variable TX:INBOUND_ANOMALY_SCORE' (Value: 10' ) [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "14.102.2.85"] [uri "/web.config"] [unique_id "156481355738.154548"] [ref ""]
To Reproduce
Steps to reproduce the behavior:
Give the https://ourdomain.com/web.config and it redirects to 403 Nginx default page. This is for all requests denied by modsecurity.
Expected behavior
Redirects to custom page added in nginx when 403 response code is sent.
Server:
- ModSecurity version (and connector): ModSecurity v3 with nginx-connector v1.0.0
- WebServer: nginx-1.15.0
- OS (and distro): Ubuntu(Linux OS)
Rule Set:
- OWASP CRS 3.0.2