Technologies:
javascript
html
php
Tolerim
a month ago
How can I prevent a false positive in Modsecurity when using an input form with the POST method on shared hosting?
https://wa.me/111111111?text=Olá Katarina, tudo bem?
ModSecurity: Access denied with code 429 (phase 2). Operator GE matched 5 at TX:anomalyscore. [file "/usr/share/modsecurity-crs-new/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASPCRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
ModSecurity: Warning. Operator GE matched 5 at TX:inboundanomalyscore. [file "/usr/share/modsecurity-crs-new/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=5,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"]
<!DOCTYPE html>
<html>
<head>
<title>My Form</title>
</head>
<body>
<form action="test2.php" method="post">
<input type="text" name="my_text">
<input type="submit" value="Submit">
</form>
</body>
</html>
Answers(2)
Vogi
a month ago
Verified Answer
I'm sorry to hear that you are experiencing issues with your HTML POST form. It seems that the issue is related to ModSecurity which is a Web Application Firewall (WAF) that filters and blocks known malicious HTTP requests. The error message you received indicates that the rule REQUEST-949-BLOCKING-EVALUATION was triggered. This rule is part of the OWASP ModSecurity Core Rule Set (CRS) which is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.
It is possible to turn off ModSecurity rules based on IP. To allowlist your public IP, you can get your public IP by using https://anto.online/tools/what-is-my-public-ip/. Next, open the modsecurity.conf file, and add the rule below:
This will turn off the rule engine for requests coming from your IP address.
Regarding your question about double URL encoding being a possible solution, it is not recommended as it can cause issues with some web servers and applications.
I hope this helps!
Sources
Enable extra web security on a website – DreamHost Knowledge BaseHow to disable ModSecurity rules that cause 403 errorsOWASP ModSecurity Core Rule Set | OWASP Foundationapache - Why does OWASP modsecurity block remote file inclusion for ...Tolerim
a month ago
It seems like ModSecurity is blocking the form submission due to the question mark at the end of the input. One way to handle this issue would be to encode the input properly using JavaScript's encodeURIComponent() function, which will properly encode special characters like question marks. Additionally, you could try modifying the ModSecurity rules if you have access to them, but that may not be possible on a shared webhosting environment.
Here's an example of how you can use encodeURIComponent() to encode the input:
<!DOCTYPE html>
<html>
<head>
<title>My Form</title>
</head>
<body>
<form action="test2.php" method="post">
<input type="text" name="my_text" id="my-text-input">
<input type="submit" value="Submit" onclick="submitForm()">
</form>
<script>
function submitForm() {
const input = document.getElementById("my-text-input");
input.value = encodeURIComponent(input.value);
}
</script>
</body>
</html>
In this example, we have added an id attribute to the input field so that we can select it in JavaScript later. We have also added an onclick event handler to the submit button that calls the submitForm() function. This function gets a reference to the input field using document.getElementById() and sets its value to the encoded input using encodeURIComponent(). This way, the input will be properly encoded before it is submitted to the server, which should prevent ModSecurity from blocking it.