Thread: [mod-security-users] Modsec Bypass???
Brought to you by:
victorhora,
zimmerletw
From: Troy L. <Tro...@ip...> - 2011-07-26 20:36:13
|
Hello, I'm hoping to find an answer to this problem and was told to send it here. I'm VERY new to modsecurity and our company is faced with this current problem: >From this 1 company only - users are not able to see their payment receipts - they go thru all the options of submitting a payment and yet the PDF receipt goes back to them with a blank page. What I am told from the dev team is this: The encryption string get's so long that modsec thinks it's a virus or a hack and throws it out. So they tell me what needs to happen is: Certain tests need to be ignored - specifically when they have parameters that examine a GET or a POST form fields. OR: Is there a way to bypass any request to a designated server to let it go past modsec. So in the request - if it is supposed to go to the next server for parsing or whatever - Modsec will just ignore it and let it thru. Some of this makes sense to me but it seems odd that this is only happening with 1 company out of thousands and thousands of users. Any help would be appreciated Troy Landry |
From: Ryan B. <RBa...@tr...> - 2011-07-26 20:44:50
|
Troy, Can you send me some example ModSecurity audit log examples of a transaction that is being blocked? This will allow me to provide you with some exception options. Thanks. -- Ryan Barnett Senior Security Researcher Trustwave - SpiderLabs From: Troy Landry <Tro...@ip...<mailto:Tro...@ip...>> Date: Tue, 26 Jul 2011 14:37:05 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [mod-security-users] Modsec Bypass??? Hello, I’m hoping to find an answer to this problem and was told to send it here. I’m VERY new to modsecurity and our company is faced with this current problem: >From this 1 company only – users are not able to see their payment receipts – they go thru all the options of submitting apayment and yet the PDF receipt goes back to them with a blank page. What I am told from the dev team is this: The encryption string get’s so long that modsec thinks it’s a virus or a hack and throws it out. So they tell me what needs to happen is: Certain tests need to be ignored – specifically when they have parameters that examine a GET or a POST form fields. OR: Is there a way to bypass any request to a designated server to let it go past modsec. So in the request – if it is supposed to go to the next server for parsing or whatever – Modsec will just ignore it and let it thru. Some of this makes sense to me but it seems odd that this is only happening with 1 company out of thousands and thousands of users. Any help would be appreciated Troy Landry ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |