We recently found a bug with the 1.6.0
rules when testing the M1100 appliance and it may be related to what you are
seeing. This issue has to do with some changes to the way SecDefaultAction
works and, in this case, if the rules do not specify a “phase”. We
will be releasing 1.6.1 of the rules shortly, but in the meantime, you can test
this by adding “phase:2” to your XSS rules and then retest. It
should then properly inherit the SecDefaultAction settings.
[mailto:email@example.com] On Behalf Of J Amuse
Sent: Thursday, April 24, 2008
SecDefaultAction not denying request
I'm using the default Core ModSecurity Rule Set ver.1.6.0 and set the
default action to:
I then sent a test XSS request like : http://target/?<script>alert('xss')</script>
which shows up in the logs as an XSS attack, but I get a 200 response as
opposed to a 403 response back. How can I debug this problem?